Windows Security Log Event ID 4928
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Directory Service
• Directory Service Replication |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
|
4928: An Active Directory replica source naming context was established
On this page
Directory Service replication has little to no security relevance. I recommend disabling these 2 subcategories:
Directory Service ReplicationDetailed Directory Service Replication
Since DCSync and DCShadow have come out I've changed my mind about the above statement. Check out this webinar AD Attack Deep Dive: Gaining Persistence using DCSync and DCShadow with Mimikatz
Free Security Log Resources by Randy
Supercharger Enterprise
An Active Directory replica source naming context was established.
Destination DRA: CN=NTDS Settings,CN=WIN-R9H529RIO4Y,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source DRA: CN=NTDS Settings,CN=WIN-857ZZX6RQHL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source Address: 0b63afed-1e41-43a3-8bc2-f33dc33942ea._msdcs.acme-fr.local
Naming Context: DC=acme-fr,DC=local
Options: 352
Status Code: 0
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection