All Apps and Add-ons

Where do I add domain controllers in Splunk App for Windows Infrastructure?

lorder
Explorer

I installed and configured Splunk App for Windows Infrastructure.

With this I install: Splunk Add-on for PowerShell, Splunk Supporting Add-on for Active Directory (and configure it "Connection test for default succeeded"), Splunk Add-on for Microsoft Active Directory, Splunk Add-on for Microsoft Windows DNS, Splunk Add-on for Microsoft Windows.

When I configure it and I complete all requirements I see only one server (self Splunk) but I don't see any domain controllers.

Where I must add domain controllers?

lorder
Explorer


Splunk v6.6.0+
OK: Splunk v7.1.3 detected
OK: Key value store is enabled. Learn more.

Splunk Add-on for Microsoft Windows v4.8.3 or 4.8.4
OK: Splunk Add-on for Microsoft Windows v4.8.4 detected

Splunk Supporting Add-on for Microsoft Windows Active Directory v2.1.7
OK: Splunk Supporting Add-on for Microsoft Windows Active Directory v2.1.7 detected

Users and/or groups configured with the winfra-admin user role:

0 Karma

lorder
Explorer

I think that problem with powershell module.
I have indexes (msad, perfmon, ...). I have sourcetypes (MSAD:NT6:..., Perfmon:..., ... )
1
And in sourcetype="Powershell:ScriptExecutionSummary" I have errors:
tcp://splunk-01:9389/ActiveDirectoryWebServices/Windows/Resource.
2
Exception="Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException: Не удалось найти сервер каталогов с удостоверением: "SPLUNK-01".

Splunk try connect to self as to DC, but it no DC... How I can configure real DC for connection?

0 Karma

adonio
Ultra Champion

are you bringing data from your domain controllers and other windows hosts?

0 Karma

lorder
Explorer

yes. But when I open predefined dashboards, such as users reports: disabled I can't select domain.
Or in other reports, where I must select domain, site, controllers - this dropdowns is empty.

I think that splunk try to read domain info from splunk server, but not from real DC.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...