Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

This documentation does not apply to the most recent version of MSApp. Click here for the latest version.
Download topic as PDF

Active Directory Help

This topic discusses the various dashboards available under the Active Directory menu in the Splunk App for Windows Infrastructure.

Health Overview

Topology Report

When you first open the Active Directory module of the Splunk App for Windows Infrastructure, it displays the Topology Report: a view of all of the AD forests, domains, and domain controllers known to the Splunk App for Windows Infrastructure at the present time. You can return to this dashboard at any time by selecting Active Directory > Health Overview'.

The Topology Report dashboard splits into two halves, upper and lower. The upper half of the dashboard is a selection panel which allows you to choose the forests, sites, domains, and domain controllers that are known to the Splunk App for Windows Infrastructure. You can select multiple objects at a time by holding down the Ctrl key and clicking on the desired entries.

The lower half of the dashboard displays additional information based on what you select on the top half. It displays detailed information on the domain controllers in the selected forest and domain, and includes the following statistics:

  • The host name of the domain controller (DC).
  • The AD site that the DC belongs to.
  • The operating system and version of Windows the server runs.
  • The AD Flexible Single Master Operation (FSMO) role(s) the server holds.
  • Information on the Directory Service Agent (DSA) options available for the DC.
  • Information on the status of the AD services that the machine runs.
  • Information on whether or not the server has registered itself in DNS.
  • Information on whether or not the machine's SYSVOL share is available on the network.

In this dashboard, icons in the "Masters Roles" column indicate the operations master roles for each server.

Icon Role Description
FSMOroles-S.png Schema Master The Schema Master controls all updates to the Active Directory's schema, then replicates it to all other domain controllers in the forest. There can be only one Schema Master in an entire forest.
FSMOroles-D.png Domain Naming Master The Domain Naming Master controls the naming of all domains within the forest. It is the only domain controller that can add or remove domains from Active Directory. As such, only one Domain Naming Master can be present in a forest.
FSMOroles-R.png Relative ID Master The Relative ID Master domain controller maintains the relative ID (RID) resource pool and is responsible for allocating RIDs to other domain controllers within a domain when they are requested during the creation of security principle objects like users and groups. There can only be one RID Master in a domain.
FSMORoles-P.png PDC Emulator Master This domain controller emulates the Primary Domain Controller (PDC) role for a domain and handles time synchronization across the domain. It also handles various PDC duties (such as password changes, account lockouts and GPO manipulation) for domains which have both Windows Server 2000 and Server 2003 domain controllers present. Only one PDC emulator can be present in a domain.
FSMORoles-I.png Infrastructure Master The Infrastructure Master handles updates to the security identifier (SID) and distinguished name (DN) of an object that is cross-referenced by another object in another domain. There can only be one Infrastructure Master in a domain.

The DSA options are listed as icons under the "DSA Options" column:

  • A globe indicates that the server is a Global Catalog (GC).
  • A padlock indicates that the server is a Read-only Domain Controller (RODC).

You can click on any domain controller in the list to get additional information about that domain controller. See Domain Controller status for more details.

You can limit the number of domain controller objects displayed by selecting the Show n entries list box on the left. You can also search for a specific string (such as the name of a domain controller) by typing in the string in the Search: field on the right.

Operations

Domain Services

The Domain Services series of dashboards display information on the selected domains, sites, and domain controllers.

Domain Status

The Domain Status dashboard gives you information on the selected domain, including:

  • Which domain controllers in the domain hold AD operations masters roles
  • Which site(s) the domain is a part of
  • Which domain controllers control the domain

You can choose which domain you want to view by choosing it in the Domain drop-down list in the Domain Status pane of the dashboard.

You can click on one of the listed sites to get additional information about the site. See (Site status).

You can click on one of the listed domain controllers to get additional information about that controller. See DC status.

You can also adjust how much data you see by selecting the time range you desire in the time range picker.

Site Status

The Site Status dashboard gives you information about the sites in your Active Directory forest, including:

  • Information on which domain controller holds the Inter-site Topology Generator AD operations master role.
  • A list of the domains included in the site.
  • A list of the domain controllers included in the site.
  • A list of the IP network subnets configured for the site.
  • The number and replication status of any site links between this and other AD sites.
  • The targeted and actual weighting of Active Directory-related activity across all of the domain controllers for a particular domain.

In the Site Status pane of this dashboard, you can select the site you want to view by choosing it in the Site drop-down list. This automatically updates the Domain drop down list next to it, which lets you view more information about the chosen domain.

You can click on a domain in the Domains in Site list to get more information about that domain.

You can click on a domain controller in the Domain Controllers in Site list to get details about that domain controller.

You can also adjust how much data you see by selecting the time range you desire in the time range picker.

Domain Controller Status

The Domain Controller Status dashboard gives you information on the domain controllers in your Active Directory environment, including:

  • Information on Directory Services performance, with spark lines and average values over time for important DS related performance counters.
  • Information on replication performance, also with spark lines and average values over time.
  • Any anomalous events that you should be aware of.

You can click on individual counters in both the Directory Services performance and Replication Performance sections of the dashboard to review specifics about the values returned by those objects.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker.

DNS Services

The DNS Services series of dashboards displays information about the health, configuration, and performance of Active Directory DNS operations. As DNS is a vital component of Active Directory, problems displayed here might assist in the troubleshooting and analysis of Active Directory itself.

DNS Services dashboards are accessible at any time by selecting Active Directory > Operations > DNS Svcs > DNS Status.

DNS Status

The DNS Status dashboard displays an overview of current DNS operations and includes:

  • A selectable list of known DNS servers in your AD environment. This includes server host name, the status of DNS on the server, the zones in which it participates, the OS version and service pack level, and a spark line depicting the average amount of DNS queries per second.
  • A selectable list of known DNS zones in the environment. This consists of the zone name, the servers that control the zone, the number of records in the zone and a breakdown of specific record types.
  • A list of anomalous DNS related events that have recently occurred.

You can select a server in the DNS Servers list to get more information about that server. See DNS Server status.

You can select a zone in the DNS Zones list to get additional details about that zone. See DNS Zone Information.

You can click on an anomalous event in the Anomalous events list to get specifics about that event.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker at the top of the dashboard. When you click on the magnifying glass button above, you refresh the data shown in the dashboard.

DNS Server Status

The DNS Server Status dashboard is similar to the Domain Controller status dashboard described above. However, this dashboard contains information about DNS Query Performance and Recursion Performance instead of AD Directory Services and replication performance.

You can click on a performance metric in either performance pane to get details about the selected metric. An Anomalous Events pane at the bottom of the dashboard lists events that warrant further investigation.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker at the top of the dashboard.

DNS Zone Information

The DNS Zone Information dashboard contains details about a known Active Directory DNS zone, including:

  • Important DNS zone configuration settings.
  • A list of the DNS servers that control the zone.
  • The status of replication of DNS servers that control the zone, and whether or not those servers are out of sync.

Note: You cannot change DNS settings in this dashboard. To change DNS settings, you must use the DNS configuration tool on the DNS server(s) that control the zone that you wish to change.

You can get additional information about the DNS servers that control the zone by selecting the desired server in the DNS Servers list. See DNS Server status for additional information.

You can choose which DNS Zone you want to display by selecting it in the DNS Zone: drop-down list at the top of the dashboard.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker.

DNS Performance

The DNS Performance dashboard lets you view specific DNS performance metrics in chart form, based on the server and performance metrics you choose in the drop-down lists on the upper right portion of the dashboard.

Each metric is overlaid with CPU performance information so that you can correlate anomalous readings with CPU usage in real time.

You can adjust how much data is displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

DNS Reports

The DNS Reports collection allows you to generate reports on your DNS operations by running real-time searches against the collected DNS data. These reports include:

  • DNS Failing Domains
  • DNS Top Filing Domains
  • DNS Top Hosts sending failing queries
  • DNS Top Non-authoritative responses
  • DNS Top Querying Hosts
  • DNS Top Recursive Failure Domains
  • DNS Top Requested Queries

Note: In order to view these statistics, your DNS servers must have debug logging enabled. If this feature is not turned on, then these reports will be blank.

Reports

The Reports series of dashboards provide insight into major health and performance issues with your Active Directory environment. These dashboards provide one-step access to information on problems that are currently happening within your environment, allowing you to quickly analyze and take appropriate action.

Health Issues

The Health Issues dashboard displays active problems occurring with the domain controllers within your AD forest. It also displays anomalous events that you should be aware of, such as reboots, problems with Knowledge Consistency Checkers (KCCs) on domain controllers, and other unexpected circumstances.

You can control how much information is displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

Subnet Affinity Issues

Occasionally, a server will appear from an IP address that is not associated with a site. The Subnet Affinity Issues dashboard provides a concise report for handling this case. When you see an IP address in this page, log on to your Forest Infrastructure Master and use the Active Directory Sites and Services tool to add the subnet and associate it with a Site. IP addresses that report more frequently are closer to the top of the list.

You can control how much information is displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

Replication issues

The Active Directory Replication Health dashboard lets you review current AD replication agreements, and the status of those agreements.

You can change the context in which you view the replication agreements by selecting the Naming Context drop-down on the upper right side of the dashboard.

You can also adjust how much time is considered when constructing the reports by selecting the time range you desire in the time range picker on the upper left.

Performance

The Performance dashboard lets you view all AD-related performance metrics across all domain controllers in your AD forest in a chart.

To view a metric, select the desired domain controller from the Server drop-down list on the upper right of the dashboard. Then, select the performance Object and, finally, the desired Counter in the same fashion.

The chart is displayed on the lower portion of the dashboard.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker on the upper left portion of the window.


Security

The Security series of dashboards give you vision into the defense mechanisms of your Active Directory operations. They provide information on logon failures, attempts to controvert user security settings, and user utilization, as well as display audits and reports on all AD objects in your environment.

Each of the Security dashboards splits into two sections. The upper section of the dashboard is a selection panel which allows you to choose the forests, sites, domains, and domain controllers that are known to the Splunk App for Windows Infrastructure to narrow your search. You can select multiple objects at a time. The lower portion of the dashboard displays additional information based on what you select on the top half.

You can also control how much data is displayed by selecting the time range you desire in the time range picker on the upper left portion of the window.

User Logon Failures

The User Logon Failures dashboard provides insight into recent failed attempts by users to log into your domain. Specific statistics include:

  • Failed logons over time.
  • Failed interactive logons by IP address.
  • Failed logons by reason (for example, expired password, locked account, or disabled account.)
  • Failed interactive logons by username.
  • Failed logons by logon type.
  • Users failing to logon from multiple IPs (for example, an active attempt to break into the network.)

Anomalous Logons

Like the User Logon Failures dashboard, the Anomalous Logons dashboard contains information about questionable user activity on your network. It also shows the more sinister attempts to access restricted network resources. Specific statistics displayed here include:

  • Users logging on from more than one AD site
  • Users logging on from more than one workstation
  • Attempts to log on to disabled or expired accounts

User Utilization

The User Utilization dashboard displays statistics on:

  • The number of logons over time.
  • The top number of successful logons, by user.
  • The number of locked accounts.
  • The top number of authenticating workstations.

Audit

The Audit series of dashboards allow you to take stock of changes that have happened to your Active Directory environment over time. The audits you can perform are:

  • Administrator audit
  • Computer audit
  • User audit
  • Group audit
  • Group Policy Audit
  • Organizational Unit (OU) Audit

In all audit dashboards, you can control how much data is displayed by selecting the time range you desire in the time range picker on the upper left portion of each dashboard.

Administrator Audit

The Administrator Audit dashboard displays information about recent activity by administrators in your AD environment. The dashboard displays the following specifics:

  • Administrator logons.
  • Attempts by administrators to unlock accounts.
  • Other administrative changes to user accounts.
  • Administrative changes to computer accounts.
  • Administrative changes to groups.
  • Administrative changes to Group Policy and Group Policy objects.
  • Additions, changes or deletions of computer accounts.

In the upper portion of the dashboard, you can choose the domain from which you want to display administrator audit data by selecting the Account Domain drop-down list. You can further narrow down your search by selecting an administrator from the Administrator drop-down list.

Clicking on a chart in the Administrator Audit dashboard takes you to one of the five other dashboards shown below.

Computer Audit

The Computer Audit dashboard displays information about access to Active Directory from computer accounts, and includes statistics on:

  • Active Directory record.
  • Group Membership.
  • Accounts that were locked out after attempting a logon from a specific workstation.
  • Failed logons from specific computers.

In the upper portion of the dashboard, you can choose the domain from which you want to display computer audit data by selecting the Account Domain drop-down list. You must do so in order to get information on computer account activity within the domain.

You can further narrow down your search by typing in the name of a valid computer account in the Computer Account field.

User Audit

The User Audit dashboard displays information about Active Directory user objects, and includes specifics on:

  • Active Directory record.
  • Group Membership.
  • Accounts that were locked out after failing to logon properly.
  • Failed logons by the selected workstation.

In the upper portion of the dashboard, you can choose the domain from which you want to display user audit data by selecting the Account Domain drop-down list. You must do so in order to get information on user account activity within the domain.

You can further narrow down your search by typing in the name of a valid user object in the User Account field.

Group Audit

The Group Audit dashboard displays information about Active Directory group objects, and includes statistics on:

  • Active Directory record.
  • A full Group Membership list.
  • Recent changes to the group membership.

In the upper portion of the dashboard, you can choose the domain from which you want to display user audit data by selecting the Account Domain drop-down list. You must do so in order to get information on group account activity within the domain.

You can further narrow down your search by typing in the name of a valid group object in the Group Name field.

Group Policy Audit

The Group Policy Audit dashboard displays information about Active Directory Group Policy objects (GPOs), and includes statistics on:

  • Which group policy objects are linked to which containers.
  • Recent changes to group policy.

In the upper portion of the dashboard, you can choose the domain from which you want to display user audit data by selecting the Domain drop-down list. You can further narrow down your search by typing in a valid GPO in the Group Policy Name field.

Organizational Unit (OU) Audit

The OU Audit dashboard displays information about Active Directory Organizational Units and includes statistics on Active Directory record.

In the upper portion of the dashboard, you can choose the domain from which you want to display user audit data by selecting the Domain drop-down list. You can further narrow down your search by typing in a valid OU in the Organizational Unit Name field.

Reports

The Reports series of dashboards displays detailed information about all aspects of your Active Directory environment.

You can display and print the following reports:

  • Computer Accounts:
    • All
    • Domain controllers only
    • New
    • Deleted
    • Active
    • Inactive
    • Unused
    • Disabled
    • Trusted
    • No Manager (The object does not have a delegate assigned to it.)
  • Domain Accounts:
    • All
    • New
    • Deleted
    • Active
    • Inactive
    • Unused
    • Disabled
    • Accounts that don't expire
    • Accounts where a password is not required
    • Accounts where the password does not expire
    • Accounts where the password is too old
    • No manager
    • Sensitive accounts
  • Security Group Accounts:
    • All
    • New
    • Deleted
    • Changed type
    • Empty
    • Large
    • Nested
    • No Manager.
  • Organizational Units:
    • All
    • New
    • Deleted
    • No Manager
    • Those with a direct GPO link.
  • Group Policy Objects:
    • All
    • New
    • Deleted
    • Disabled.


Change Management

The Change Management series of dashboards shows you what recent changes have been made to your Active Directory environment. They display changes that have been made by administrators or delegates with authority to make changes to the following objects:

  • User objects
  • Group objects
  • Computer objects
  • Group Policy objects

The upper half of each Change Management dashboard is a selection panel which allows you to choose the forests, sites, domains, and domain controllers that are known to the Splunk App for Windows Infrastructure. You can select multiple objects at a time.

The lower section of the dashboard displays information based on the selection you make in the top section of the dashboard.

On all dashboards, you can also control how much data is displayed by selecting the time range you desire in the time range picker on the upper left portion of the dashboard window.

User Record Changes

The User Record Changes dashboard shows information about changes to user objects in the AD environment, from both a security and a directory services perspective.

You can narrow your search by typing in the name of a user in the Account User field in the upper portion of the dashboard.

Group Changes

The Group Changes dashboard shows information about changes to AD group objects, from the context of both changes to the group object itself and changes to the membership of the group.

You can narrow your search by using one of the available drop-downs to limit results based on:

  • Administrator (who made the changes)
  • Member, Group, Group Class (Security or Distribution)
  • Group Scope (Global, Local or Universal).

Computer Changes

The Computer Changes dashboard displays information about changes to AD computer objects.

You can narrow your search by using one of the available drop downs to limit results based on Administrator (who made the changes) and Computer Name.

Group Policy Changes

The Group Policy Changes dashboard displays information about changes to AD group policy objects (GPOs).

You can narrow your search by using one of the available drop downs to limit results based on Administrator (who made the changes) and Group Policy Name.

Last modified on 31 March, 2014
PREVIOUS
Windows Help
  NEXT
Build custom dashboards

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters