4928 An Active Directory replica source naming context was established
Written when an Active Directory replica source naming context is established. It captures the establishment of replication relationships between domain controllers.
Overview
The subcategory is Audit Detailed Directory Service Replication. It is generated when a domain controller newly establishes a replication relationship for a specific naming context (a directory partition), using another DC as the replication source. There are success (S) and failure (F) variants.
How it is triggered
- When a new replication connection is established between DCs (promotion, topology change, recovery, and so on).
Security review points
- Replication is the mechanism that synchronizes the directory (including credentials) between DCs. Establishing a replication relationship with a non-legitimate DC or an unexpected peer gives cause to suspect the addition of a rogue DC or an attempt to obtain data.
- DCSync (detected via 4662) abuses a replication request to a legitimate DC, but the 4928-family detailed replication auditing is usable to detect anomalies in the replication relationship itself. Because detailed auditing is high-volume, it is normally enabled in a limited way on important DCs.
Notes for log review
- Detailed directory service replication auditing produces a very high volume. Use it for investigation during topology changes or limited monitoring rather than always-on full volume.
- Confirm the established source DC and naming context match the legitimate replication topology.
Key fields
| Field | Meaning |
|---|---|
Source Address / source DC | The replication source DC |
Naming Context | The target directory partition |
Glossary
- Naming Context — a unit into which the AD directory is partitioned (domain/configuration/schema, etc.). Replication is done per such unit.