Windows Security Log Event ID 4928

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Directory Service
 • Directory Service Replication
Type Success
Corresponding events
in Windows 2003
and before

4928: An Active Directory replica source naming context was established

On this page

Directory Service replication has little to no security relevance.  I recommend disabling these 2 subcategories: 

  • Directory Service Replication
  • Detailed Directory Service Replication

Since DCSync and DCShadow have come out I've changed my mind about the above statement.  Check out this webinar AD Attack Deep Dive: Gaining Persistence using DCSync and DCShadow with Mimikatz

Free Security Log Resources by Randy

Supercharger Free Edition

Centrally manage WEC subscriptions.



Examples of 4928

An Active Directory replica source naming context was established.

Destination DRA: CN=NTDS Settings,CN=WIN-R9H529RIO4Y,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source DRA: CN=NTDS Settings,CN=WIN-857ZZX6RQHL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source Address: 0b63afed-1e41-43a3-8bc2-f33dc33942ea._msdcs.acme-fr.local
Naming Context: DC=acme-fr,DC=local
Options:  352
Status Code: 0

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources