---
title: 4928(S, F) An Active Directory replica source naming context was established. (Windows 10)
description: Describes security event 4928(S, F) An Active Directory replica source naming context was established.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4928(S, F): An Active Directory replica source naming context was established.
**Applies to**
- Windows 10
- Windows Server 2016
***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
***Event Description:***
This event generates every time a new Active Directory replica source naming context is established.
Failure event generates if an error occurs (**Status Code** != 0).
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
```
-
-
4928
0
0
14083
0
0x8020000000000000
227065
Security
DC01.contoso.local
-
CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local
DC=ForestDnsZones,DC=contoso,DC=local
368
0
```
***Required Server Roles:*** Active Directory domain controller.
***Minimum OS Version:*** Windows Server 2008.
***Event Versions:*** 0.
***Field Descriptions:***
- **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
> **Note** The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
- **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
> • DC - domainComponent
> • CN - commonName
> • OU - organizationalUnitName
> • O - organizationName
- **Source Address** \[Type = UnicodeString\]: DNS record of the server from which information or an update was received.
- **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx).
- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here:
## Security Monitoring Recommendations
For 4928(S, F): An Active Directory replica source naming context was established.
- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
- This event is typically used for Active Directory replication troubleshooting.