Windows Security Log Event ID 4930

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Directory Service
 • Detailed Directory Service Replication
Type Success
Corresponding events
in Windows 2003
and before
 

4930: An Active Directory replica source naming context was modified

On this page

Directory Service replication has little to no security relevance.  I recommend disabling these 2 subcategories: 

  • Directory Service Replication
  • Detailed Directory Service Replication

Since DCSync and DCShadow have come out I've changed my mind about the above statement.  Check out this webinar AD Attack Deep Dive: Gaining Persistence using DCSync and DCShadow with Mimikatz

Free Security Log Resources by Randy

Supercharger Free Edition

 

Examples of 4930

An Active Directory replica source naming context was modified.

Destination DRA: CN=NTDS Settings,CN=WIN-R9H529RIO4Y,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source DRA: -
Source Address: 657aa2e2-f523-48ab-b573-e32d1d27fdd0
Naming Context: DC=acme,DC=com
Options:  0
Status Code: 0

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Additional Resources