Configuring Active Directory Sites and Subnets

In this article, we will look at two important elements of the Active Directory infrastructure — sites and subnets. Sites in ADDS are used to combine domain controllers and clients into containers that describe the physical topology of your corporate network. Using sites, you can optimize WAN traffic between company branches in different cities/countries. You can bind several IP subnets (networks) to each site so clients can easily find the Active Directory domain controller closest to them.

An AD site is a set of IP subnets that are connected by fast network links and used to control Active Directory replication traffic. Thus, a single site may include several areas of IP addresses. IP subnets are specified in the network/bitmask format, for example, 192.168.19.0/24.

When you promote the first Active Directory domain controller in your domain, a site named Default-First-Site-Name is created by default. The new DC and all the next ones are placed in this site by default.

Suppose your organization has a head office and two branches in different cities. Your task is to create the correct AD site and subnet architecture.

To manage AD sites and subnets, use the Active Directory Sites and Services snap-in (dssite.msc). By default, there is only one Default-First-Site-Name site in the console. Rename it to HQ.

Hint. You can rename the site using the cmdlets from PowerShell Active Directory module.

Import the module into your current PowerShell session.

Import-Module ActiveDirectory

In order to rename the default AD site, use the Rename-ADObject cmdlet:

Get-ADReplicationSite Default-First-Site-Name | Rename-ADObject -NewName NewSiteName

Now create 2 new sites:

• Toronto
• Vancouver

Click on Sites > New Site.

Specify the site name, select link name (the default is DEFAULTSITELINK with IP transport), and click OK. Create another site.

Hint. You can create the new Active Directory site using the New-ADReplicationSite cmdlet. Just specify its name:

New-ADReplicationSite -Name "Calgary"

You can list your AD sites:

Get-AdReplicationSite -filter *|select Name,ObjectClass

Now you need to create IP subnets and add them to the appropriate AD site. The list of IP subnets is located in the Subnets section and is empty by default.

Create a new subnet: Subnets > New Subnet.

Specify the IPv4 subnet and subnet mask in the format 192.168.1.0/24 and bind it to the desired AD site.

Similarly, create all other IP subnets in your organization and map them to Active Directory sites.

You can create a subnet and add it to an AD site using PowerShell:

New-ADReplicationSubnet -Name “192.168.100.0/24” -Site "HQ"

You can add an IPv6 subnet:

New-ADReplicationSubnet -Name "2001:db8:2::/64" -Site "HQ"

To display all IP subnets, run the command:

Get-ADReplicationSubnet -Filter * |Ft Location,Name,Site

You can view the full list of AD sites and their assigned IP subnets with the following PowerShell script:

$sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites

foreach ($site in $sites) {

write-host "$site"

foreach ($subnet in $site.Subnets) {

write-host "....(IP network) $subnet"

foreach ($server in $site.Servers) {

write-host "........(server) $server"

}

}

}

After creating sites and subnets, you can install additional domain controllers in new sites. When you install an additional DC, it will be automatically placed on the site to which the IP subnet of the domain controller is bound. If a site is not assigned to a subnet of a domain controller, by default it will be placed in a site that authorized the promotion of the server to a domain controller.

You can change the AD site for any domain controller:

1. Open the AD Sites and Services snap-in;
2. Expand Sites > Old_Site_Name > Servers;
3. Select the domain controller that you want to move to another Active Directory site, right-click on it, and select Move;
   
4. Select the new AD site to which you want to move your DC;
5. Click OK to start the transfer;
   
6. Wait for full replication in Active Directory to update the domain topology.

You can also move the domain controller between sites using the Move-ADDirectoryServer PowerShell cmdlet:

Get-ADDomainController CAL-DC2 | Move-ADDirectoryServer -Site Calgary

You can display a list of domain controllers and the sites they belong to using PowerShell:

Get-ADDomainController -Filter * | ft Hostname,Site

Site links are used for communication between sites. A site link links 2 or more AD sites and matches the physical connection topology between sites. Site links define the routes which Active Directory replication can use, and also affect how clients choose the closest domain controllers or other servers.

For example, if all three of your sites can be directly connected to each other, just create a single site link, which includes 3 sites.

You can manage the site with links in the same console in the section Inter-Site Transports > IP. By default, we have only one link named DEFAULTSITELINK with three sites and a replication schedule every 3 hours.

You can use the Active Directory Sites and Services console or the PowerShell command line to manage site links in Active Directory.

For example, you want to create a new site link between the Toronto and Vancouver sites and set a custom cost and replication frequency:

New-ADReplicationSiteLink -Name "lnk-Toronto-Vancouver" -SitesIncluded Vancouver, Toronto -Cost 100 -ReplicationFrequencyInMinutes 15

To remove this site link, run the command:

Remove-ADReplicationSiteLink -Identity "lnk-Toronto-Vancouver"

Active Directory sites are typically created for branches with domain controllers. However, other applications also use AD site information. For example, Distributed File System (DFS), Exchange Server, System Center Configuration Manager (SCCM).