I thought I read somewhere that the TA should only be installed on one of the AD server for a forest, but I can't find that statement anymore. Is this correct or should it be installed on all AD servers?
TIA
Hi wweiland,
at https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory
you can find:
Best practice: Only deploy the Splunk Add-on for Microsoft Active Directory to a select group of domain controllers Consider the number of domain controllers that you deploy the Active Directory add-ons.
Best practice recommends that only one domain controller in an Active Directory domain or forest receives the add-on, with one or two others receiving it as a backup.
Bye.
Giuseppe
Hi wweiland,
at https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory
you can find:
Best practice: Only deploy the Splunk Add-on for Microsoft Active Directory to a select group of domain controllers Consider the number of domain controllers that you deploy the Active Directory add-ons.
Best practice recommends that only one domain controller in an Active Directory domain or forest receives the add-on, with one or two others receiving it as a backup.
Bye.
Giuseppe
Perfect, thank you! I couldn't for the life of me remember where I read that. I did decide to roll out the stanzas that collected the AD logs to the other AD servers, but the stuff that grabbed topology and replication information only happens on 1.