All Apps and Add-ons

Multiple Domain Controllers Best Practices (Latest Version of Splunk)

nychawk
Communicator

Greetings;

Any suggestions for a domain with multiple domain controllers? What are the pros and cons for running a UF with ad-on for Windows, and add-on for MS-AD on all vs. just my FSMO role DC? Is it best to install on all, or just my FSMO role server?

I recently changed my FSMO role server, and I am not seeing all of my data, i.e. I no longer see lockouts. (I suspect I need to flush my ADMonitoring and NearestDC.ini files, but this is only a guess).

Thank you in advance,

-mike

shogan_splunk
Splunk Employee
Splunk Employee

It is recommended to deploy the UF, and Splunk TA Windows/AD on each domain controller. Also, with atleast the Windows Security Eventlog input enabled in the Splunk TA Windows. This will ensure you index all the audit events, because some are only collected locally on the authenticating DC.

As for the admon ADMonitoring
baseline=1 Splunk TA for AD input configuration, you only need to have this on one DC per Domain.

Hope this answers your question, let me know if it doesn't.
Thanks,
Steve

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...