Best Practices When Configuring Active Directory Sites and Subnets

1.8K

In this article, we will look at two important elements of the Active Directory infrastructure — sites and subnets. Sites in ADDS are used to combine domain controllers and clients into containers that describe the physical topology of your corporate network. Using sites, you can optimize WAN traffic between company branches in different cities/countries. You can bind several IP subnets (networks) to each site so clients can easily find the Active Directory domain controller closest to them.

What are AD site links?

AD site links are IP subnets connected by fast network links and used to control Active Directory replication traffic. Thus, a single site object may include several areas of IP addresses. IP subnets are specified in the network/bitmask format, for example, 192.168.19.0/24.

When you promote the first Active Directory domain controller in your domain, a site named Default-First-Site-Name is created by default. The new DC and all the next ones are placed on this site by default.

Suppose your organization has a head office and two branches in different cities. Your task is to create the correct AD site and subnet architecture.

Managing AD site links

To manage AD sites and subnets, open Active Directory Sites and Services snap-in (dssite.msc). By default, there is only one site link object Default-First-Site-Name site in the console. Rename it to HQ.

Hint. You can rename the site using the cmdlets from PowerShell Active Directory module.

Import the module into your current PowerShell session.

Import-Module ActiveDirectory

In order to rename the default AD site, use the Rename-ADObject cmdlet:

Get-ADReplicationSite Default-First-Site-Name | Rename-ADObject -NewName NewSiteName

Now create 2 new sites:

• Toronto
• Vancouver

Click on Sites > New Site.

Specify the site name, select link name (the default is DEFAULTSITELINK with IP transport), and click OK. Create another site.

Hint. You can create the new Active Directory site using the New-ADReplicationSite cmdlet. Just specify its name:

New-ADReplicationSite -Name "Calgary"

You can list your AD sites:

Get-AdReplicationSite -filter *|select Name,ObjectClass

Creating IP subnets using the management console

Now you need to create IP subnets and add them to the appropriate AD site. The list of IP subnets is located in the Subnets section and is empty by default.

Create a new subnet: Subnets > New Subnet.

Specify the IPv4 subnet and subnet mask in the format 192.168.1.0/24 and bind it to the desired AD site.

Similarly, create all other IP subnets in your organization and map them to Active Directory sites.

Create IP subnets and add them to the AD site using PowerShell

You can create a subnet and add it to an AD site using PowerShell:

New-ADReplicationSubnet -Name “192.168.100.0/24” -Site "HQ"

You can add an IPv6 subnet:

New-ADReplicationSubnet -Name "2001:db8:2::/64" -Site "HQ"

To display all IP subnets, run the command:

Get-ADReplicationSubnet -Filter * |Ft Location,Name,Site

You can view the full list of AD sites and their assigned IP subnets with the following PowerShell script:

$sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites

foreach ($site in $sites) {

write-host "$site"

foreach ($subnet in $site.Subnets) {

write-host "....(IP network) $subnet"

foreach ($server in $site.Servers) {

write-host "........(server) $server"

}

}

}

Installing additional domain controllers in AD sites

After creating sites and subnets, you can install additional domain controllers in new sites. When you install an additional DC, it will be automatically placed on the site to which the IP subnet of the domain controller is bound. If a site is not assigned to a subnet of a domain controller, by default it will be placed in a site that authorized the promotion of the server to a domain controller.

You can change the AD site for any domain controller:

1. Open the AD Sites and Services snap-in;
2. Expand Sites > Old_Site_Name > Servers;
3. Select the domain controller that you want to move to another Active Directory site, right-click on it, and select Move;
   
4. Select the new AD site to which you want to move your DC;
5. Click OK to start the transfer;
   
6. Wait for full replication in Active Directory to update the domain topology.

You can also move the domain controller between sites using the Move-ADDirectoryServer PowerShell cmdlet:

Get-ADDomainController CAL-DC2 | Move-ADDirectoryServer -Site Calgary

You can display a list of domain controllers and the sites they belong to using PowerShell:

Get-ADDomainController -Filter * | ft Hostname,Site

Site links are used for communication between sites. A site link links 2 or more AD sites and matches the physical connection topology between sites. Site links define the routes which Active Directory replication can use, and also affect how clients choose the closest domain controllers or other servers.

For example, if all three of your sites can be directly connected to each other, just create a single site link, which includes 3 sites.

You can manage the site with links in the same console in the section Inter-Site Transports > IP. By default, we have only one link named DEFAULTSITELINK with three sites and a replication schedule every 3 hours.

You can use the Active Directory Sites and Services console or the PowerShell command line to manage site links in Active Directory.

For example, you want to create a new site link between the Toronto and Vancouver sites and set a custom cost and replication frequency:

New-ADReplicationSiteLink -Name "lnk-Toronto-Vancouver" -SitesIncluded Vancouver, Toronto -Cost 100 -ReplicationFrequencyInMinutes 15

To remove this site link, run the command:

Remove-ADReplicationSiteLink -Identity "lnk-Toronto-Vancouver"

Active Directory sites are typically created for branches with domain controllers. However, other applications also use AD site information. For example, Distributed File System (DFS), Exchange Server, System Center Configuration Manager (SCCM).

Frequently Asked Questions

What’s Involved in Configuring Active Directory Sites and Subnets, and How Does It Impact the Physical Network Topology?

Configuring Active Directory sites and subnets enables an organization to define its physical network topology. This involves combining domain controllers and clients into containers that represent the actual layout of the corporate network. By binding several IP subnets to each site, you can enhance WAN traffic optimization between company branches and ensure clients find the closest domain controller.

What Is an AD Site Link, and How Do You Create a New Site Link in Active Directory?

An AD site link is a set of IP subnets connected by fast network links, controlling replication traffic in Active Directory. You can create a new site link using PowerShell commands like New-ADReplicationSiteLink. Site links reflect the physical connection topology between sites and enable efficient data flow across different locations.

How Do You Manage Directory Sites and Services, and What Role Do Site Link Bridges Play?

You can manage directory sites and services using tools like the Active Directory Sites and Services snap-in or PowerShell cmdlets. Site link bridges allow connections between site links, enhancing the replication process between different sites. This helps manage AD site links and maintain the network’s physical topology.

What Steps Are Required to Move Domain Controllers Between Different Sites?

You can use the AD Sites and Services snap-in or PowerShell command Move-ADDirectoryServer to move domain controllers between different sites. Selecting the desired domain controller and the new AD site initiates the transfer. Domain controllers play a vital role in managing replication traffic and determining the location of servers within the network.

How Do You Create New Active Directory Sites and New Subnets? What’s the Significance of the Default AD Site?

New Active Directory sites can be created through the Sites and Services snap-in or by using cmdlets like New-ADReplicationSite. Similarly, you can create new subnets using New-ADReplicationSubnet. When you promote the first domain controller, a default AD site named Default-First-Site-Name is created. This site acts as the primary container for new and existing domain controllers.

How Can You Leverage PowerShell to Manage Sites and Change Site Link Properties?

Managing sites, including creating site links and adjusting site link properties, can be done using various PowerShell cmdlets. For example, you can use New-ADReplicationSiteLink to establish a link and set custom costs and replication frequency. This offers greater control over site topology and enhances communication between two sites or more.

What’s the Role of Enterprise Admins Group and Domain Admins Group in Active Directory Configuration?

Enterprise Admins Group and Domain Admins Group have privileged access in Active Directory configuration. They can perform tasks like configuring active directory sites and subnets, managing AD site information, and controlling replication traffic. Their role ensures that the right permissions are granted for critical operations within the network.

What Are the Benefits of Configuring Active Directory Sites for Distributed File System (DFS) and Other Applications like Exchange Server?

Configuring Active Directory sites supports applications like Distributed File System (DFS) and Exchange Server. It enables these applications to utilize AD site information, enhancing their performance and alignment with the physical location and topology of the network.

Wrapping Up

Configuring Active Directory sites and subnets is a fundamental task for managing the physical topology of a network in an organized and effective manner. From defining site boundaries to controlling replication traffic, these configurations enable an efficient and responsive infrastructure.

Leveraging tools like the Active Directory Sites and Services snap-in and various PowerShell cmdlets, administrators can create new sites, manage IP addresses, and control site link properties.