4935 Replication failure begins
Written when an Active Directory replication failure begins. Paired with the end 4936, it captures the interval of a replication fault.
Overview
The subcategory is Audit Detailed Directory Service Replication. It is generated when replication enters a failure state. It may include a failure reason code.
How it is triggered
- When replication between DCs begins failing due to a communication fault, authentication problem, topology inconsistency, and so on.
Security review points
- Most replication failures are fault-induced, but also consider the possibility of an attacker trying to isolate a DC or disrupt directory synchronization. Check the failure reason code and the DC involved.
- Because it bears directly on availability and directory consistency, it is important operationally too. Together with the end 4936, understand the fault’s duration.
Notes for log review
- It appears when a fault occurs. Note persistent failures and a skew toward a specific DC or partition.
- Relate it to the failure (F) of sync end 4933 to evaluate replication health.
Key fields
| Field | Meaning |
|---|---|
| Source/destination DC | The parties to the failed replication |
Naming Context | The target partition |
| Failure reason code | The reason for the error |