The lastLogonTimestamp attribute is replicated across all the domain controllers in a Windows Server 2003 domain functionality level domain. It is updated for Kerberos and NTLM interactive logons.
Windows Server 2003 does NOT update the lastLogonTimestamp attribute when you perform:
Certificate mapping through Microsoft Internet Information Services (IIS).
Username and password authentication through IIS.
Microsoft .NET Passport mapping through IIS.
All Service-for-User (S4U) authentication paths.
NOTE: The DSQUERY USER DOMAINROOT -inactive weeks command uses the lastLogonTimestamp attribute.