Settings > Access Controls > Roles > winfra-admin > Scroll down to "Indexes searched by default" and add the appropriate indexes. (msad in this case)

John

Thanks! That's what I was missing. Setup is progressing past the msad error in the Check Data step now.

where do I check that setting?

Settings > Roles > "Winfra-admin" role

Yes, sorry. I should've stated the Prerequisites checks are all successful(green check marks). Also, I'm seeing no errors on the forwarders regarding the PS scripts used to collect AD info by the TA-DomainController-NT6 add on. Again, this application wias working correctly with the previous version Splunk App Windows Inf 1.0.4.

I did the below mentioned but this didn't help me. Please recommend any other solution for this!

Settings > Access Controls > Roles > winfra-admin > Scroll down to "Indexes searched by default" and add the appropriate indexes. (msad in this case)

I have all the apps installed in the correct directory on my SH (a single server used for Splunk) E:\Program Files\Splunk\etc\apps

on the SH, I have the SA-ldapsearch in the etc\apps directory. LDAP is configured with a domain admin user currently. I performed a test connection and it was successful.

I do have the same APPs installed on both Domain Controllers and one is forwarding events

Splunk_TA_windows
SplunkUniversalForwarder
TA-DNSServer-NT6
TA-DomainCOntrollerNT6

Both DCs are 64bit - one is 2012r2 the other DC that is not forwarding events is 2008R2

If you run 2012R2

Did you mean on the SH or the DCs or both?

I have neither on my DC's but the 2012 DC is forwarding while the 2008 does not appear to be forwarding events. How could I check if my second DC (2008r2) is forwarding any events at all?

Only on the DCs.

If your 2008 DC is not forwarding events make sure:

• that you have a forwarder installed on it.
• That the forwarder has the TA-DomainController-NT6 installed in it.
• That the forwarder has been configured to send data to indexers.
• That there is a clean IP connection available from DC to indexer (no firewalls blocking ports)
• That you have changed AD audit policy to log the Additional AD events that the app needs.
• That the indexer has the appropriate indexes configured on it.
• That the user account on the SH has been configured to search those indexes.

A quick search with"index=msad host=Hostname-of-DC" is a great start. If you're not seeing data, walk back through this list. It's usually network connectivity or misconfiguration (and sometimes both.)

OK, I'm still highly lost at this point. I see no TA-DomainController-NT6 available to add into my deployed apps. Nor do I see it in my list of available apps. I'm not at the console, so I might find it directly there if I can get back on the Linux console and look within the list of apps to find it, but thus far, I don't see where it is to find it from to be sure to get it deployed back to the Windows Domain Controllers.

Hi, can you show what is in your $SPLUNK_HOME/etc/deployment_apps folder on your deployment server? Is the deployment serve running on your Linux host?

Log into Splunk on the deployment server. If you put the apps in the right directory you should see them in Forwarder Management.

I definitely (now) have the Add-ons in the right path and see them below forwarder management. They are "deployed" to the Windows servers where I should be getting data from yet I am still getting the errors related to Search "sourcetype="ActiveDirectory*" | head 5" and same for sourcetype="MSAD*" | head 5

That is the same on both of the Splunk servers I'm working with (the Add-ons for Windows 2008 domain are in place, and yet we're not getting those events capture for the Windows Infrastructure App.

Next suggestion?

(And stupid question follow-up... The add-ons were originally kept below the Windows Infrastructure App. I copied them up and into the Deployment-Apps area, as I also did with the Infrastructure App. Should I not have the Infrastructure App there as an App for deployment? Should I have had just the Add-ons? Why don't the add-ons go along for the ride when the Infrastructure App is being deployed??)

So you place the TA-DomainController-NT6 folder and its contents in the $SPLUNK_HOME/etc/deployment-apps folder correct? I have not deployed any mew apps in a while but I think after that you have to run

$SPLUNK_HOME/bin/splunk reload deploy-server

This is correct. you can also restart Splunk on the deployment server.

I have checked all of the above - I have found records with the search command you provided:

sourcetype = MSAD:NT6:Replication, MSAD:NT6:Health, MSAD:NT6:DNS-Zone-Information, MSAD:NT6:SiteInfo

I just don't see any of the AD user, password and unlock events coming from this DC.

Thanks for any help

Did you make the GPO changes to have these events logged on the DC? page 35 and 36 of the install guide...

Yes the GPO settings for monitoring are in place and the same for both the DCs - One is logging events and one is not.

I used GPUPDATE /force did a GPRESULT and it audit polices are applied to this DC. Maybe I need a reboot?

Changes are only reported on the DC that made the change. These are not replicated events. That is why you collect the events in Splunk into one central location. If you want to test the auditing make sure you are connected to a specific DC and make the change. Then test that it is being logged in the event viewer.