Install the Splunk Add-on for Microsoft Active Directory
- Get the Splunk Add-on for Microsoft Active Directory by downloading it from https://splunkbase.splunk.com/app/3207 or browsing to it using the app browser within Splunk Web.
- Determine where and how to install this add-on in your deployment, using the tables on this page.
- Perform any prerequisite steps before installing, if required and specified in the tables below.
- Complete your installation.
These add-ons have been specifically created for use with the Splunk Apps for Microsoft Exchange and Windows Infrastructure. There are specific installation instructions for these add-ons for use with those apps:
Splunk App for Microsoft Exchange
Splunk App for Windows Infrastructure
You can also use the add-on to collect Active Directory data outside of these apps. For best results, however, you must configure your Windows Active Directory and DNS environments for increased logging.
Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you use forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
These tables provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
Splunk Add-on for Microsoft Active Directory
|Splunk platform instance type||Supported||Required||Actions required / Comments|
|Search Heads||Yes||Yes||Install this add-on to one or more search heads that are also domain controllers and where Active Directory knowledge management is required.|
|Indexers||Yes||No||Install this add-on to indexers only if they are also domain controllers and Active Directory knowledge is required. If you use a universal or light forwarder for data collection, install the add-on to your indexers.|
|Heavy Forwarders||Yes||See comments||All forwarder types are supported. The forwarder needs to be installed directly on the domain controller for Active Directory monitoring.|
Distributed deployment feature compatibility
This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.
|Distributed deployment feature||Supported||Comments|
|Search Head Clusters||Yes||You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection.
Before you install this add-on to a cluster, remove the
|Indexer Clusters||Yes||Before you install this add-on to a cluster, remove the |
|Deployment Server||Yes||Supported for deploying the configured add-on to multiple nodes. This is a Splunk best practice and the Splunk Apps for Microsoft Exchange and Windows Infrastructure use a deployment server to facilitate easier installation.|
The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.
For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:
Hardware and software requirements for the Splunk Add-on for Microsoft Active Directory
Configure the Splunk Add-on for Microsoft Active Directory
This documentation applies to the following versions of Splunk® Add-on for Microsoft Active Directory: 1.0.0