All Apps and Add-ons

Question about the TA for Microsoft AD

wweiland
Contributor

I thought I read somewhere that the TA should only be installed on one of the AD server for a forest, but I can't find that statement anymore. Is this correct or should it be installed on all AD servers?

TIA

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi wweiland,
at https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory
you can find:

Best practice: Only deploy the Splunk Add-on for Microsoft Active Directory to a select group of domain controllers Consider the number of domain controllers that you deploy the Active Directory add-ons.
Best practice recommends that only one domain controller in an Active Directory domain or forest receives the add-on, with one or two others receiving it as a backup.

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi wweiland,
at https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory
you can find:

Best practice: Only deploy the Splunk Add-on for Microsoft Active Directory to a select group of domain controllers Consider the number of domain controllers that you deploy the Active Directory add-ons.
Best practice recommends that only one domain controller in an Active Directory domain or forest receives the add-on, with one or two others receiving it as a backup.

Bye.
Giuseppe

wweiland
Contributor

Perfect, thank you! I couldn't for the life of me remember where I read that. I did decide to roll out the stanzas that collected the AD logs to the other AD servers, but the stuff that grabbed topology and replication information only happens on 1.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...