When looking at the details of objects in Exchange Management Shell, it is often useful to know when an object was created or modified. In a recent Office 365 engagement, the customer was convinced that one of the other administrators had made an unauthorised change to their environment as there was an apparent recent change to the Exchange Hybrid Object.
The details of the this object can be viewed using Get-HybridConfiguration. Note that this post illustrates the discussion using the hybrid object in AD, though it will apply to other cases.
In the screenshot below, note that the yellow arrow indicates the whenChanged attribute reports a date of 3/10/2019 10:33:22 PM. This is the 10th of March 2019.
The admin did not expect to see this date contain a value of 2019 as it was over a year since the Exchange Hybrid Configuration Wizard (HCW) had been executed. The HCW was last used to update the hybrid SMTP certificate. This certificate has a two year validity and it was not expected to see modifications to the date.
Was the HCW executed without permission? Was someone going to have a meeting without coffee? Stay tuned…
This is a lab repro so that screenshots can be used. In this lab there are three domain controllers. The lab contains Exchange 2010 servers. The reason that there whenCreated dates are quite different is due to the different OS versions used by the DCs. Exchange 2010 has added support for newer versions of AD, and this is reflected in the dates below. The oldest server is Windows 2012, then 2012 R2 and finally the newest one is Windows Server 2016
You may have noted the DCPromo date of the Windows Server 2016 DC, it is the 10th of March 2019 at 10:32:39 PM. Well, that's interesting I hear you say…
What if we take a look at how each of the DCs reports the whenChanged value of the object. Since there are three DCs in the environment, we will run the same command three times and use the –DomainController switch to interrogate them one by one.
Note that we see different timestamps on each the DCs for the whenChanged value. The newest DC, the 2016 server, has the most recent whenChanged value. Though the older two DCs have slightly different values.
Is this some mystery with the Exchange Management Shell? Lets see what AD has to say on its own.
What ADSIEdit Saw
The object we are looking at above is located here in AD:
CN=Hybrid Configuration,CN=Hybrid Configuration,CN=TailspintoysCanada,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Tailspintoys,DC=ca
If we look at its properties in ADSIEdit we see the below:
Hmm – this timestamp is unsurprisingly the same as what we saw in the Exchange Management Shell.
Why is that…
whenCreated is not a replicated attribute. It is updated when a local write occurs which is why you see different values on each of the domain controllers. The difference between the original two DCs is small as this is the replication latency, at that time both DCs were installed. Many months later the Windows Server 2016 DC was installed. This server was promoted and during the initial directory replication local copies of the existing objects were created.
From the AD Schema documentation When-Changed attribute
"The date when this object was last changed. This value is not replicated and exists in the global catalog."
If you want to see more information about the object you can also use:
Repadmin.exe /ShowObjMeta:"CN=Hybrid Configuration,CN=Hybrid Configuration,CN=TailspintoysCanada,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Tailspintoys,DC=ca"