4937 A lingering object was removed from a replica
Written when a lingering object is removed from a replica. It relates to restoring replication consistency.
Overview
The subcategory is Audit Detailed Directory Service Replication. It is generated when a lingering object (an old object that was deleted on one DC but remained on another DC whose replication had been broken for a long time) is removed from the replica.
How it is triggered
- When an old object is detected and removed during replication recovery or a consistency check.
Security review points
- It is mostly an operational event of consistency recovery after a replication fault. That said, the fact that replication was broken for a long time can itself indicate DC isolation or a fault.
- There is some room to check whether the removed lingering objects include things like accounts that should have been disabled.
Notes for log review
- It is a rare consistency-recovery event. It can appear after a replication fault (4935).
- If it occurs in volume, suspect prolonged replication outages or DC configuration problems.
Key fields
| Field | Meaning |
|---|---|
| Removed lingering object | The removal target |
Naming Context | The target partition |