All Apps and Add-ons

Question about the TA for Microsoft AD

wweiland
Contributor

I thought I read somewhere that the TA should only be installed on one of the AD server for a forest, but I can't find that statement anymore. Is this correct or should it be installed on all AD servers?

TIA

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi wweiland,
at https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory
you can find:

Best practice: Only deploy the Splunk Add-on for Microsoft Active Directory to a select group of domain controllers Consider the number of domain controllers that you deploy the Active Directory add-ons.
Best practice recommends that only one domain controller in an Active Directory domain or forest receives the add-on, with one or two others receiving it as a backup.

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi wweiland,
at https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory
you can find:

Best practice: Only deploy the Splunk Add-on for Microsoft Active Directory to a select group of domain controllers Consider the number of domain controllers that you deploy the Active Directory add-ons.
Best practice recommends that only one domain controller in an Active Directory domain or forest receives the add-on, with one or two others receiving it as a backup.

Bye.
Giuseppe

View solution in original post

wweiland
Contributor

Perfect, thank you! I couldn't for the life of me remember where I read that. I did decide to roll out the stanzas that collected the AD logs to the other AD servers, but the stuff that grabbed topology and replication information only happens on 1.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!