4929 An Active Directory replica source naming context was removed
Written when an Active Directory replica source naming context is removed. Paired with establishment 4928, it captures the dissolution of a replication relationship between DCs.
Overview
The subcategory is Audit Detailed Directory Service Replication. It is generated when a domain controller dissolves the replication relationship for a specific naming context (directory partition) with a DC it had used as a source. There are success (S) and failure (F) variants.
How it is triggered
- When a replication relationship is dissolved due to DC demotion, topology change, site configuration change, and so on.
Security review points
- Dissolving a replication relationship is normally part of topology operations. For an unexpected dissolution, consider disruption of replication or improper detachment of a DC.
- Together with establishment 4928 and modification 4930, track replication configuration changes.
Notes for log review
- Detailed replication auditing produces high volume. Use it for investigation during topology changes rather than always-on.
- Confirm the dissolved source DC and naming context match legitimate configuration changes.
Key fields
| Field | Meaning |
|---|---|
| Source DC | The dissolved replication source |
Naming Context | The target partition |