4864 A namespace collision was detected
Written when a namespace collision is detected. In a forest trust, it captures cases where a namespace (domain name, SID, and so on) overlaps with another.
Overview
The subcategory is Audit Authentication Policy Change. It is generated when, during forest-trust processing, a domain name, UPN suffix, or SID namespace collides with an existing one. The original docs give no example.
How it is triggered
- When a namespace overlap is detected while configuring or updating a forest trust.
Security review points
- A collision is often due to configuration inconsistency, but consider the possibility that a malicious trust partner is claiming an existing domain’s namespace to hijack the authentication path (impersonation). Check it together with trust info addition/modification 4865/4867.
- For an unexpected collision, review the forest-trust configuration and the partner’s setup.
Notes for log review
- It only carries meaning in environments with forest trusts. It is a rare event.
- Check the collided namespace and the related trust to separate misconfiguration from malice.
Key fields
| Field | Meaning |
|---|---|
| Collided namespace info | The namespace where overlap was detected |
| Related trust | The forest trust involved |