4930 An Active Directory replica source naming context was modified
Written when an Active Directory replica source naming context is modified. It captures changes to the replication settings with a source.
Overview
The subcategory is Audit Detailed Directory Service Replication. It is generated when the settings for the DC used as a replication source or the naming context are changed. It is a replication configuration event alongside establishment 4928 and removal 4929.
How it is triggered
- When the source DC or target partition settings are updated due to a replication topology change.
Security review points
- It is normally part of topology operations. An unexpected change gives cause to suspect alteration of replication paths or insertion of a rogue DC.
- Track configuration changes together with establishment 4928 and removal 4929.
Notes for log review
- Detailed replication auditing produces high volume. Use it narrowed to investigation during topology changes.
- Confirm the source DC and partition after the change are consistent with the legitimate configuration.
Key fields
| Field | Meaning |
|---|---|
| Source DC | The replication source |
Naming Context | The target partition |