All Apps and Add-ons

MS Windows AD Objects: How to troubleshoot "WARNING!! - No ActiveDirectory baseline (Sync) data found"?

SUCCESS - Found eventtype=msad-dc-health data
WARNING!! - No ActiveDirectory baseline (Sync) data found. Run through Deployment Steps indashboard

I have tried everything that I'm capable of to resolve this, and walked through the online guide, and the troubleshooting appendix for the MSAD objects manual and can't find where I'm not getting the AD baseline sync data from. The validation query fails. Can anyone point me in a general direction? (First time splunkbaser)

I have (2) DC's that have Win, AD, DNS, and fwdtoindexer apps deployed to them. They are both fully responsive and sending data. They are Win2k12 boxes, and my Splunk deployment is Enterprise on prem (w2k12), single box, 12c, 12gb 200+gb storage

Splunk Employee
Splunk Employee

The admon - Sync data is only collected the first iteration of the admon collection. So if you deploy the Splunk Add-On for Microsoft Active Directory, or previous TA-DomainController-... then the admon collection has already ran once. What you will need to do is remove the .ini file that is checked by the admon job for seeing if it has already ran. Below are the steps for doing this:

Note: If you have another data admon data input, then you might want to move the admon://NearestDC and admon.conf settings specified in the deployment steps to *$SPLUNK_HOME/etc/system/local** directory to ensure it takes priority.*

Not seeing admon baseline, “Sync”, data
Perform the following steps on the Splunk Universal Forwarder on the Domain Controller if you are not seeing results from the following search:
- sourcetype=ActiveDirectory admonEventType=Sync
1) On the Domain Controller with the Splunk Universal Forwarder use Windows File Explorer to navigate to the $SPLUNK_HOME\SplunkUniversalForwarder\var\lib\splunk\persistentstorage\ADMon directory.
2) Delete the ADMonitoring.ini file and the NearestDC.ini file if it exists.
3) Restart the SplunkForwarder Service.
4) Rerun the following search from the Splunk UI to verify admon baseline data is being indexed.
- sourcetype=ActiveDirectory admonEventType=Sync
5) If you are now seeing data from verification search, then go back to Step 4a and complete the AD Objects Splunk Lookup file building steps in the Build AD Lookup Lists – Main view.


I have already done that - that is Appendix C of the troubleshooting guide internal to the AD Objects app.

What I haven't deleted or seen is the ADMonitoring.ini
That was not in the directory.

0 Karma

Splunk Employee
Splunk Employee

First, the ADMonitoring.ini is incorrectly stated in the troubleshooting steps. I had this as the input in version 1.0, and didn't update the steps until the latest release.
For troubleshooting, you want to make sure that the only [admon://NearestDC] input specified is in the Splunk AddOn for Microsoft Active Directory. If you enabled the Active Directory input option during the Splunk Forwarder Installation, then remove it from the $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/local/inputs.conf file.
To see the admon://NearestDC input settings, and what directory it is set at, the run the following command from a command line in the bin directory:
splunk cmd btool inputs list admon://NearestDC --debug

This will show all the settings for the admon://NearestDC. The key pieces that you want to make sure are there are:
baseline = 1
disabled = 0
monitorSubtree = 1

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...