Deploy the Splunk Add-ons for Active Directory
This topic discusses how to deploy the Splunk Add-ons for Active Directory into deployment clients that you install onto your Active Directory domain controllers.
Which Active Directory add-ons go where?
The deployment server must be made aware of the new add-ons before you can deploy them to deployment clients. You do this by placing the add-ons in the deployment apps directory.
In this case, since not every Windows host in the Exchange deployment is an Active Directory domain controller, not every host should receive the Splunk Add-ons for Active Directory. Also, since there are different Active Directory add-ons for different versions of Windows Server, only the add-on that has been designed for a specific version of Windows Server should be deployed to that host.
This means that, during this part of the setup, you will define new deployment classes at the deployment server to account for these differences.
As a reminder, here is the list of available add-ons for Active Directory, and what versions of Windows Server they should be installed on:
|TA-DomainController-NT5||For Active Directory domain controllers running Windows Server 2003/2003 R2 and earlier|
|TA-DomainController-NT6||For Active Directory domain controllers running Windows Server 2008/2008 R2 and later|
|TA-DomainController-2012r2||For Active Directory domain controllers running Windows Server 2012 R2 and later. Requires the Splunk Add-on for PowerShell.|
This is the same table shown in "More information about the Active Directory add-ons."
Best practice: Only deploy the Active Directory add-ons to a select group of domain controllers
Consider how many domain controllers in the deployment should receive the enabled add-ons. Best practice recommends that only one domain controller receives the add-ons, with one or two others receiving the deployment as a backup.
Place the add-ons in the deployment apps directory on the deployment server
First, make the deployment server aware of the new add-ons:
1. Open a command prompt on the deployment server/indexer.
2. Copy the add-on folders from their current location to the deployment apps directory:
> Copy-Item -Path C:\Downloads\splunk_app_windows_infrastructure\appserver\addons\TA-DomainController* -Destination "C:\Program Files\Splunk\etc\deployment-apps -Recurse -Force
3. Tell the deployment server to reload its deployment configuration.
> cd \Program Files\Splunk\bin > .\splunk reload deploy-server
4. From a web browser, log into Splunk Enterprise on the deployment server.
5. In the system bar, select Settings > Forwarder Management.
6. Click the Apps tab. You should see the TA_DomainController* add-ons in the list of apps.
Define a new server class for domain controllers
In this procedure, you will define a new server class for Windows Server 2008 domain controllers. In this server class, you will deploy the
TA_DomainController_NT6 add-on. Later, you will assign this server class to a deployment client that runs Windows Server 2008.
1. In the "TA_DomainController_NT6" add-on entry in the list, click Edit. Splunk Enterprise loads the "Edit App: TA-DomainController_NT6" page.
2. Click the gray "+" sign under "Server Classes".
3. In the pop-up that appears, click New Server Class.
4. In the "New Server Class" dialog box that pops up, enter "Domain Controllers - Server 2008".
Note: When setting up server classes later on in the setup process, you can enter a unique name for the server class that describes the hosts that belong in the class, and that you will remember.
5. Click Save. Splunk Enterprise saves the class and loads the information page for the server class you just created.
Note that it says you have not added any apps or clients yet. This is okay, as you have just created the class.
6. Click Add apps. Splunk Enterprise loads the "Edit Apps" page.
7. Locate and click the "TA_DomainController_NT6" add-on in the "Unselected Apps" pane on the left. The app moves to the "Selected Apps" pane on the right.
8. Click Save. Splunk Enterprise saves the configuration and returns you to the server class information page.
Add domain controller clients to the server class
Note: If you have not installed a universal forwarder on a Windows host that runs Windows Server 2008, do so now, using the instructions in "Install a universal forwarder on each Windows host". Then continue with the following steps.
To assign the domain controller deployment client to the "Domain Controllers" server class:
1. In the server class information page, click Add clients. Splunk Enterprise loads the "Edit clients" page.
2. In the "Include (whitelist)" field, enter the name of the domain controller.
3. Click Preview. Splunk Enterprise updates the host list at the bottom and places check marks on the hosts that match what you entered in the "Include (whitelist)" field.
4. Click Save. Splunk Enterprise adds the host to the server class and deploys the add-on to the deployment client on the Active Directory host.
Add domain controller clients to the "universal forwarder" server class
In the same way that you added the domain controller deployment client to the "domain controllers" server class to deploy the Active Directory add-on, you should also add the client to the "universal forwarder" server class. This does two things:
- Deploys the Splunk Add-on for Windows to the domain controller, which enables the client to collect Windows data from the controller.
- Deploys the "send to indexer" app to the domain controller client, which enables the client to forward Windows and Active Directory to the indexer.
To add the domain controller to the "universal forwarders" server class, follow the instructions at "Add the universal forwarder to the server class."
You have now deployed the Active Directory add-on onto your domain controller deployment client. In the future, you can use this procedure to deploy the add-on(s) to additional client(s).
Next, you will confirm that Active Directory data is coming into the indexer from the deployment client.
Download and configure the Splunk Add-ons for Active Directory
Confirm and troubleshoot AD data collection
This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1