NIST's guidance for a Zero Trust Architecture

Recent Posts

Active Directory Sites

What you will learn:

Active Directory (AD) is a powerful and versatile directory service that allows for quite a bit of customization according to an organization’s needs. Part of the reason that makes AD a powerful tool is that it allows the AD network to be designed based on two distinctly different structures it possesses: a logical structure and a physical structure. The logical structure consists of forests, domains, etc. On the other hand, the physical structure is represented by the Domain Controllers (DCs), servers, physical subnets, etc. A Site is a means to represent the physical aspects of an AD network. In this article, we will dive deep into what are AD sites, subnets, and site links, and also see how each of them can be created through the Active Directory Sites and Services console. We will also touch on AD site replication and the benefits of creating AD sites.

What are AD sites?  

AD sites are used for managing organizations that have branches spread across different geographical locations but fall under the same domain. It is a robust solution to geographically manage an AD network without changing any aspect of the logical structure of the environment. AD sites are physical groupings of well-connected IP subnets that are used to replicate information among domain controllers (DC) efficiently. AD sites can be imagined as a map that describes the best routes for carrying out replication in AD, thus making efficient use of the available network bandwidth. AD sites help to achieve cost-efficiency and speed. It also lets one exercise better control over the replication traffic and the authentication process. When there is more than one DC in the associated site that is capable of handling client logon, services and directory searches, AD sites can locate the closest DC to perform these actions. Sites also play a role in the deployment and targeting of group policies.In AD, the information about the topology is stored as site link objects. By default, the Default-First-Site-Name site container is created for the forest. Until another site is created, all DCs are automatically assigned to this site.

What are subnets?  

Within sites, subnets are entities that help in grouping neighboring computer systems based on their IP addresses. So, every subnet is identified by a range of associated IP addresses, and a site is the aggregate of all well-connected subnets. Subnets could be based on either TCP/IPv4 or TCP/IPv6 protocol addresses.

What are AD site Links?

As the name implies, AD site links are used to establish links between AD sites, with the default site link being called Default-First-Site-Link. AD site links give the flow of the replication that takes place between sites. By configuring site link properties such as site link schedule, replication cost, and interval, inter-site replication can be managed to be more efficient.

Sites and Replication  

In AD, when a change is applied to a specific DC, all other DCs in the domain are informed about the change and updated. This happens through the process of replication. Replication ensures that all the DCs in an AD environment are aware and updated on a change to any resource or policy in the AD network. Replication is an important functionality that keeps all DCs up to speed on network updates. To learn more about replication based on the site topology, check this article.

What is Active Directory Sites and Services?

Active Directory Sites and Services is an administrative tool that is used to manage sites and their related components. The tool comes with its own Microsoft Management Console (MMC) snap-in.

Configuring Active Directory Sites and Services

The following is a partial list of tasks that can be managed using Active Directory Sites and Services:

  • Creating sites
  • Creating subnets and associating subnets with sites
  • Creating site links
  • Configuring site properties
  • Moving servers between sites

How to create a site  

The following steps illustrate how to create an AD site:

  • Go to StartAdministrative ToolsActive Directory Sites and Services. The Active Directory Sites and Services Window opens.
  • In the left pane, right click Sites and click on New Site.
  • Give the new site a suitable name. Select DEFAULTIPSITELINK, and click OK.
Creating a new Active Directory Site dialog box
Creating a new Active Directory Site from the Active Directory Sites and Services Window

You now have created a new AD site.

How to create a subnet  

Now that an AD site other than the default site has been created, a subnet that specifies the site boundaries has to be created as well. The following steps illustrate how you can create a subnet:

  • Go to StartAdministrative ToolsActive Directory Sites and Services. The Active Directory Sites and Services window opens.
  • In the left pane, right-click Subnets and click New Subnet.
  • Enter the address prefix using network prefix notation.
  • Select a site object for this prefix, and click OK.
Create a new subnet dialog box in Active Directory
Creating a new subnet from the Active Directory Sites and Services window

You now have created a new subnet.

How to create site links  

To create a new site link, you perform the following steps:

  • Go to StartAdministrative ToolsActive Directory Sites and Services. The Active Directory Sites and Services Window opens.
  • In the left pane, expand the Sites container. Under Inter-Site Transports, right click IP and click New Site Link.
  • Enter a suitable name for the site link.
  • Add the required sites, and click OK.
New site link dialog box in Active Directory
Creating a new site link

You now have created a new site link. To configure the properties of the new site link, you can follow these steps:

  • Right click on the created site link and select Properties. Specify the values for cost and the replication interval, and/or change schedule.
  • Then, click OK to apply the changes.

Benefits of creating AD sites

Creating AD sites has multiple benefits for an organization. Firstly, by creating sites, you can control the replication process as per your organization’s needs. AD replication is of two types: intra-site and inter-site replication. Intra-site replication occurs within five minutes of any change made to a DC’s local AD copy. This would require a lot of bandwidth. Inter-site replication does not require as much bandwidth as intra-site replication. You can thus schedule inter-site replication based on your organization’s low network traffic times for better efficiency. Another benefit of using sites is that with careful design of sites, you can ensure that logon traffic travels only to local DCs and not remote DCs in another site. Ultimately, AD sites ensure that your organization’s network bandwidth is not bogged down by unnecessary traffic making it inefficient.

Related posts
Recent Posts

What is Active Directory?

Recent Posts

Security Account Manager

Recent Posts

Local User Management

Recent Posts

Active Directory Rights Management Services (AD RMS)

Leave a Reply

Your email address will not be published. Required fields are marked *