Windows Security Log Event ID 4931

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Directory Service
 • Detailed Directory Service Replication
Type Success
Corresponding events
in Windows 2003
and before

4931: An Active Directory replica destination naming context was modified

On this page

Directory Service replication has little to no security relevance.  I recommend disabling these 2 subcategories: 

  • Directory Service Replication
  • Detailed Directory Service Replication

Since DCSync and DCShadow have come out I've changed my mind about the above statement.  Check out this webinar AD Attack Deep Dive: Gaining Persistence using DCSync and DCShadow with Mimikatz

Free Security Log Resources by Randy

Setup PowerShell Audit Log Forwarding in 4 Minutes


Examples of 4931

An Active Directory replica destination naming context was modified

Destination DRA: 657aa2e2-f523-48ab-b573-e32d1d27fdd0._msdcs.acme-fr.local
Source DRA: CN=NTDS Settings,CN=WIN-857ZZX6RQHL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Destination Address: -
Naming Context: DC=ForestDnsZones,DC=acme-fr,DC=local
Options:  23
Status Code: 0

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources