Windows Security Log Event ID 4928
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Directory Service • Directory Service Replication |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
|
4928: An Active Directory replica source naming context was established
On this page
Directory Service replication has little to no security relevance. I recommend disabling these 2 subcategories:
Directory Service Replication
Detailed Directory Service Replication
Since DCSync and DCShadow have come out I've changed my mind about the above statement. Check out this webinar AD Attack Deep Dive: Gaining Persistence using DCSync and DCShadow with Mimikatz
Free Security Log Resources by Randy
Supercharger Free Edition
Centrally manage WEC subscriptions.
Free.
An Active Directory replica source naming context was established.
Destination DRA: CN=NTDS Settings,CN=WIN-R9H529RIO4Y,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source DRA: CN=NTDS Settings,CN=WIN-857ZZX6RQHL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source Address: 0b63afed-1e41-43a3-8bc2-f33dc33942ea._msdcs.acme-fr.local
Naming Context: DC=acme-fr,DC=local
Options: 352
Status Code: 0
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection