Windows Security Log Event ID 4931

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Directory Service
 • Detailed Directory Service Replication
Type Success
Corresponding events
in Windows 2003
and before

4931: An Active Directory replica destination naming context was modified

On this page

Directory Service replication has little to no security relevance.  I recommend disabling these 2 subcategories: 

  • Directory Service Replication
  • Detailed Directory Service Replication

Since DCSync and DCShadow have come out I've changed my mind about the above statement.  Check out this webinar AD Attack Deep Dive: Gaining Persistence using DCSync and DCShadow with Mimikatz

Free Security Log Resources by Randy

Supercharger Free Edition

Centrally manage WEC subscriptions.



Examples of 4931

An Active Directory replica destination naming context was modified

Destination DRA: 657aa2e2-f523-48ab-b573-e32d1d27fdd0._msdcs.acme-fr.local
Source DRA: CN=NTDS Settings,CN=WIN-857ZZX6RQHL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Destination Address: -
Naming Context: DC=ForestDnsZones,DC=acme-fr,DC=local
Options:  23
Status Code: 0

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources