so I have it forwarding now, I was missing an inputs.conf configuration. It was out of box default, I guess.

what I do have a question is the folder structure.

My other Windows server has as custom configuration folder, that I think was pushed to it from the deployment server?

I am not really sure since we had a consultant set all this up and I haven't had any training to date.

You will likely need some training my friend. I suggest the administration course. Check here:
https://www.splunk.com/view/SP-CAAAAH9?ac=News_Feb09_EDU

the only folders that override /$SPLUNK_HOME/etc/apps/ are
$SPLUNK_HOME/etc/system/

also, there should never be a reason to touch /etc/system/default. bad things can happen if you mess up there and there's no fall back. you changed the right one in /etc/system/local. Always make changes there.

if you have conflicting configurations, it's common that there's something in /etc/system/local.

folder priority is a pretty dense topic with splunk, and depends heavily on your architecture.

Also... if you manipulated your forwarder manually, you may want to check others for a deploymentclient.conf file somewhere either in /etc/system/apps/ OR in /etc/system/local.

If you're using a DS, there is a default configuration ANY windows forwarder will pull down as soon as it connects.

I have other windows servers sending on 9997. I do have a question on which outputs.conf gets used.
I have 3 of them.

etc\apps\splunkuniversalforwarder\default
etc\system\default
etc\system\local - this is the one I changed.

where should it be?

Thanks!