Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Active Directory Help

This topic discusses the various pages available under the Active Directory menu in the Splunk App for Microsoft Exchange.

You can access any of these pages by selecting the appropriate item under the Active Directory menu.

Common controls

Many of the pages in the Active Directory module of the Splunk App for Microsoft Exchange have common controls which allow you to view and filter the data that the Splunk App for Microsoft Exchange contains. Following are descriptions of these controls.

Host selection panel

The host selection panel allows you to filter information displayed in the Topology Report by entering text into the provided fields.

You can filter on the following fields:

  • Forest: Enter text here to bring up a list of forest(s). As you type, the Splunk App for Microsoft Exchange displays forests which contain the text you entered. Select the forest you want and the Splunk App for Microsoft Exchange updates the page to include only results which contain the selected forest(s).
  • Site: When you enter text here, the Splunk App for Microsoft Exchange limits results to those which contain the selected site(s).
  • Domain: When you enter text here, the Splunk App for Microsoft Exchange limits results to those which contain the selected domain(s).
  • Server: When you enter text here, the Splunk App for Microsoft Exchange limits results to those which contain the selected server(s).

Note:

  • When entering text into any of the fields, multiple valid entries can appear. You can select multiple objects at a time by holding down the Ctrl key and clicking on the desired entries.
  • Filtering is cumulative. If you enable multiple fields, only results which match all of the fields appear.
  • The fields are hierarchical. The Forest field is the highest priority, and the Server field the lowest. When you enter text into the Forest field and select a valid entry there, the Splunk App for Microsoft Exchange updates the other fields to contain only entries which are valid for the forest(s) you selected.
  • Some selection panels will have additional fields; this topic describes them in detail in the appropriate topic section.

Time range picker

Many Splunk App for Microsoft Exchange pages have a time range picker which you can use to display results that fall within a certain range of time.


Active Directory Health Overview

Topology Report

When you first open the Active Directory series of pages in the Splunk App for Microsoft Exchange, it displays the Topology Report: a view of all of the AD forests, domains, and domain controllers known to the Splunk App for Microsoft Exchange at the present time. You can return to this page at any time by selecting Active Directory > Active Directory Overview'.

The Topology Report page splits into two sections, upper and lower. The upper section of the page is a selection panel which allows you to choose the forests, sites, domains, and domain controllers that the Splunk App for Microsoft Exchange knows about.

The lower section of the page displays additional information based on what you select on the upper section. It displays detailed information on the domain controllers in the selected forest and domain, and includes the following statistics:

  • The host name of the domain controller (DC).
  • The AD site that the DC belongs to.
  • The operating system and version of Windows the server runs.
  • The AD Flexible Single Master Operation (FSMO) role(s) the server holds.
  • Information on the Directory Service Agent (DSA) options available for the DC.
  • Information on the status of the AD services that the machine runs.
  • Information on whether or not the server has registered itself in DNS.
  • Information on whether or not the machine's SYSVOL share is available on the network.

In this page, icons in the "Masters Roles" column indicate the operations master roles for each server.

Icon Role Description
FSMOroles-S.png Schema Master The Schema Master controls all updates to the Active Directory's schema, then replicates it to all other domain controllers in the forest. There can be only one Schema Master in an entire forest.
FSMOroles-D.png Domain Naming Master The Domain Naming Master controls the naming of all domains within the forest. It is the only domain controller that can add or remove domains from Active Directory. As such, only one Domain Naming Master can be present in a forest.
FSMOroles-R.png Relative ID Master The Relative ID Master domain controller maintains the relative ID (RID) resource pool and is responsible for allocating RIDs to other domain controllers within a domain when they are requested during the creation of security principle objects like users and groups. There can only be one RID Master in a domain.
FSMORoles-P.png PDC Emulator Master This domain controller emulates the Primary Domain Controller (PDC) role for a domain and handles time synchronization across the domain. It also handles various PDC duties (such as password changes, account lockouts and GPO manipulation) for domains which have both Windows Server 2000 and Server 2003 domain controllers present. Only one PDC emulator can be present in a domain.
FSMORoles-I.png Infrastructure Master The Infrastructure Master handles updates to the security identifier (SID) and distinguished name (DN) of an object that is cross-referenced by another object in another domain. There can only be one Infrastructure Master in a domain.

The DSA options are listed as icons under the "DSA Options" column:

  • A globe indicates that the server is a Global Catalog (GC).
  • A padlock indicates that the server is a Read-only Domain Controller (RODC).

You can click on any domain controller in the list to get additional information about that domain controller. See Domain Controller status for more details.

You can limit the number of domain controller objects displayed by selecting the Show n entries list box on the left. You can also search for a specific string (such as the name of a domain controller) by typing in the string in the Search: field on the right.


Domains

Health Issues

The Health Issues page displays active problems occurring with the domain controllers within your AD. It also displays anomalous events that you should be aware of, such as reboots, problems with Knowledge Consistency Checkers (KCCs) on domain controllers, and other unexpected circumstances.

This page's selection panel allows you to filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the page.

Subnet Affinity Issues

Occasionally, a server will appear from an IP address that is not associated with a site. The Subnet Affinity Issues page provides a concise report for handling this case. When you see an IP address in this page, log on to your Forest Infrastructure Master and use the Active Directory Sites and Services tool to add the subnet and associate it with a Site. IP addresses that report more frequently are closer to the top of the list.

You can control how much information is displayed by selecting the time range you desire in the time range picker on the upper right side of the page.

Replication issues

The Active Directory Replication Health page lets you review current AD replication agreements, and the status of those agreements.

This page's selection panel allows you to filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the page.

You can change the context in which you view the replication agreements by selecting the Naming Context drop-down in the selection panel.

You can also adjust how much time is considered when constructing the reports by selecting the time range you desire in the time range picker on the upper right side of the page.

Performance

The Performance page lets you view all AD-related performance metrics across all domain controllers in your AD forest in a chart.

To view a metric, select the desired domain controller from the Server drop-down list on the top of the page. Then, select the performance Object and, finally, the desired Counter in the same fashion.

The Splunk App for Microsoft Exchange displays the chart on the lower portion of the page.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker on the upper right side of the page.


Domain Controllers

The Domain Services series of pages display information on the selected domains, sites, and domain controllers.

Domain Status

The Domain Status page gives you information on the selected domain, including:

  • Which domain controllers in the domain hold AD operations masters roles
  • Which site(s) the domain is a part of
  • Which domain controllers control the domain

You can choose which domain you want to view by choosing it in the Domain drop-down list in the upper right side of the page.

You can click on one of the listed sites to get additional information about the site. See Site status for more information.

You can click on one of the listed domain controllers to get additional information about that controller. See DC status.

You can also adjust how much data you see by selecting the time range you desire in the time range picker.

Site Status

The Site Status page gives you information about the sites in your Active Directory forest, including:

  • A list of the domains included in the site.
  • A list of the domain controllers included in the site.
  • A list of the IP network subnets configured for the site.
  • The number and replication status of any site links between this and other AD sites.
  • The targeted and actual weighting of Active Directory-related activity across all of the domain controllers for a particular domain.

In the selection panel for this page, you can select the site you want to view by choosing it in the Site Name drop-down list. This automatically updates the Domain drop down list next to it, which lets you select domains that are in the site you selected.

You can click on a domain in the Domains in Site list to get more information about that domain.

You can click on a domain controller in the Domain Controllers in Site list to get details about that domain controller.

You can also adjust how much data you see by selecting the time range you desire in the time range picker in the upper right side of the page.

Domain Controller Status

The Domain Controller Status page gives you information on the domain controllers in your Active Directory environment, including:

  • Information on Directory Services performance, with average values over time for important DS related performance counters.
  • Information on replication performance.
  • Any anomalous events that you should be aware of.

In the selection panel for this page, you can select the domain you want to view by choosing it in the Domain Controller drop-down list.

You can click on individual counters in both the Directory Services performance and Replication Performance sections of the page to review specifics about the values returned by those objects.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker on the upper right side of the page.


DNS

The DNS series of pages displays information about the health, configuration, and performance of Active Directory DNS operations. As DNS is a vital component of Active Directory, problems displayed here might assist in the troubleshooting and analysis of Active Directory itself.

DNS Status

The DNS Status page displays an overview of current DNS operations and includes:

  • A selectable list of known DNS servers in your AD environment. This includes server host name, the status of DNS on the server, the zones in which it participates, the OS version and service pack level, and a spark line depicting the average amount of DNS queries per second.
  • A selectable list of known DNS zones in the environment. This consists of the zone name, the servers that control the zone, the number of records in the zone and a breakdown of specific record types.
  • A list of anomalous DNS related events that have recently occurred.

You can select a server in the DNS Servers list to get more information about that server. See DNS Server status.

You can select a zone in the DNS Zones list to get additional details about that zone. See DNS Zone Information.

You can click on an anomalous event in the Anomalous events list to get specifics about that event.

You can also adjust how much data gets displayed by selecting the time range you desire in the time range picker at the upper right side of the page.

DNS Server Status

The DNS Server Status page is similar to the Domain Controller status page described above. However, this page contains information about DNS Query Performance and Recursion Performance instead of AD Directory Services and replication performance.

In the selection panel for this page, you can select the DNS server that you want to view by choosing it in the DNS Server drop-down list.

You can click on a performance metric in either performance panel to get details about the selected metric. An Anomalous Events panel at the bottom of the page lists events that warrant further investigation.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker at the upper right side of the page.

DNS Zone Information

The DNS Zone Information page contains details about a known Active Directory DNS zone, including:

  • Important DNS zone configuration settings.
  • A list of the DNS servers that control the zone.
  • The status of replication of DNS servers that control the zone, and whether or not those servers are out of sync.

Note: You cannot change DNS settings in this page. To change DNS settings, you must use the Windows DNS configuration tool on the DNS server(s) that control the zone that you wish to change.

You can get additional information about the DNS servers that control the zone by selecting the desired server in the DNS Servers - Zone list. See DNS Server status for additional information.

You can choose which DNS Zone you want to display by selecting it in the DNS Zone: drop-down list at the top of the page.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker.

DNS Performance

The DNS Performance page lets you view specific DNS performance metrics in chart form, based on the server and performance metrics you choose in the drop-down lists in the page selection panel.

In the selection panel for this page, you can select the server whose performance metrics you want to view by choosing it in the Server drop-down list. This automatically updates the Counter drop down list next to it, which lets you select performance metrics for the server you selected.

Each metric is overlaid with CPU performance information so that you can correlate anomalous readings with CPU usage in real time.

You can adjust how much data gets displayed by selecting the time range you desire in the time range picker on the upper right side of the page.


Users

User Overview

The Users series of pages give you vision into the defense mechanisms of your Active Directory operations. They provide information on logon failures, attempts to controvert user security settings, and user utilization, as well as display audits and reports on all AD objects in your environment.

Each of the User pages splits into two sections. The upper section of the page is a selection panel which allows you to choose the forests, sites, domains, and domain controllers that are known to the Splunk App for Microsoft Exchange to narrow your search. You can select multiple objects at a time. The lower portion of the page displays additional information based on what you select on the top section.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper right side of the page.

User Audit

The User Audit page displays information about Active Directory user objects, and includes specifics on:

  • Active Directory record.
  • Group Membership.
  • Accounts that were locked out after failing to logon properly.
  • Failed logons by the selected user.

In this page's selection panel, you can choose the domain from which you want to display user audit data by selecting the Account Domain drop-down list. You must do so in order to get information on user account activity within the domain.

You can further narrow down your search by typing in the name of a valid user object in the User Account field. If you type in '*' (asterisk), the Splunk App for Microsoft Exchange searches against all users.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the page.

Administrator Audit

The Administrator Audit page displays information about recent activity by administrators in your AD environment. The page displays the following specifics:

  • Administrator logons.
  • Attempts by administrators to unlock accounts.
  • Other administrative changes to user accounts.
  • Administrative changes to computer accounts.
  • Administrative changes to groups.
  • Administrative changes to Group Policy and Group Policy objects.
  • Additions, changes or deletions of computer accounts.

In this page's selection panel, you can choose the domain from which you want to display administrator audit data by selecting the Account Domain drop-down list. You can further narrow down your search by selecting an administrator from the Administrator drop-down list.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper right side of the page.

User Record Changes

The User Record Changes page shows information about changes to user objects in the AD environment, from both a security and a directory services perspective.

This page's selection panel allows you to filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the page.

You can narrow your search by typing in the name of a user in the Account User field in the upper portion of the page.

Failed Logons

The Failed Logons page provides insight into recent failed attempts by users to log into your domain. Specific statistics include:

  • Failed logons over time.
  • Failed interactive logons by IP address.
  • Failed logons by reason (for example, expired password, locked account, or disabled account.)
  • Failed interactive logons by username.
  • Failed logons by logon type.
  • Users failing to logon from multiple IPs (for example, an active attempt to break into the network.)

This page's selection panel allows you to filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the page.

Anomalous Logons

Like the User Logon Failures page, the Anomalous Logons page contains information about questionable user activity on your network. It also shows the more sinister attempts to access restricted network resources. Specific statistics displayed here include:

  • Users logging on from more than one AD site
  • Users logging on from more than one workstation
  • Attempts to log on to disabled or expired accounts

This page's selection panel allows you to filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the page.


Computers

Computer Audit

The Computer Audit page displays information about access to Active Directory from computer accounts, and includes statistics on:

  • Active Directory record.
  • Group Membership.
  • Accounts that were locked out after attempting a logon from a specific workstation.
  • Failed logons from specific computers.

In this page's selection panel, you can choose the domain from which you want to display computer audit data by selecting the Account Domain drop-down list. You must do so in order to get information on computer account activity within the domain.

You can further narrow down your search by typing in the name of a valid computer object in the Computer Account field. If you type in '*' (asterisk), the Splunk App for Microsoft Exchange searches against all computers.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the page.

Computer Changes

The Computer Changes page displays information about changes to AD computer objects.

This page's selection panel allows you to filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the page.

You can narrow your search by using one of the available drop downs to limit results based on Administrator (who made the changes) and Computer Name.


Groups

Group Audit

The Group Audit page displays information about Active Directory group objects, and includes statistics on:

  • Active Directory record.
  • A full Group Membership list.
  • Recent changes to the group membership.

In this page's selection panel, you can choose the domain from which you want to display group audit data by selecting the Account Domain drop-down list. You must do so in order to get information on group account activity within the domain.

You can further narrow down your search by typing in the name of a valid group object in the Group Name field. If you type in '*' (asterisk), the Splunk App for Microsoft Exchange searches against all groups.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the page.

Group Changes

The Group Changes page shows information about changes to AD group objects, from the context of both changes to the group object itself and changes to the membership of the group.

This page's selection panel allows you to filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the page.

You can also narrow your search by using one of the available drop-downs to limit results based on:

  • Administrator (who made the changes)
  • Group, Group Class (Security or Distribution)
  • Group Scope (Global, Local or Universal).


Group Policy

Group Policy Audit

The Group Policy Audit page displays information about Active Directory Group Policy objects (GPOs), and includes statistics on:

  • Active Directory record.
  • Which group policy objects are linked to which containers.
  • Recent changes to group policy.

In this page's selection panel, you can choose the domain from which you want to display group policy audit data by selecting the Account Domain drop-down list. You must do so in order to get information on user account activity within the domain.

You can further narrow down your search by typing in the name of a valid group policy object in the Group Policy Name field. If you type in '*' (asterisk), the Splunk App for Microsoft Exchange searches against all group policy objects.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the page.

Group Policy Changes

The Group Policy Changes page displays information about changes to AD group policy objects (GPOs).

You can narrow your search by using one of the available drop downs to limit results based on Administrator (who made the changes) and Group Policy Name.


Organizational Unit

Organizational Unit (OU) Audit

The OU Audit page displays information about Active Directory Organizational Units and includes statistics on Active Directory record.

In this page's selection panel, you can choose the domain from which you want to display organization unit audit data by selecting the Account Domain drop-down list. You must do so in order to get information on OUs within the domain.

You can further narrow down your search by typing in the name of a valid OU in the Group Policy Name field. If you type in '*' (asterisk), the Splunk App for Microsoft Exchange searches against all OUs.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the page.

Last modified on 14 May, 2014
PREVIOUS
Active Directory Reports 		  NEXT
Dashboard reference: Build custom dashboards

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters