Systems Admin

Configure and Manage Active Directory Sites and Services

8 min read

Overview

Active Directory Sites and Services is the tool used to manage the physical topology of your AD infrastructure – specifically, how domain controllers are grouped into sites, how those sites are connected via site links, and how IP subnets are mapped to sites so that clients and DNS queries are directed to the nearest domain controller.

In this guide, we configure a three-site Active Directory topology for a hypothetical organization with locations in New York, Dallas, and Birmingham. The domain controller is NYC-DC1, hosted in New York. We will create the three sites, configure site links with appropriate costs to prioritize replication paths, set the replication schedule, map subnets to each site, and review site link bridging behavior.

Prerequisites

  • Active Directory Domain Services installed and a functioning domain
  • Domain Admin or Enterprise Admin permissions
  • Domain controllers for each site already promoted (or planned) – DCs need to be moved into their correct site after creation
  • IP subnet ranges identified for each site location

Part 1 – Create the Sites

Open Server Manager, go to Tools, and select Active Directory Sites and Services. In the left panel, expand the tree and click the Sites folder. By default you will see a single site named Default-First-Site-Name – all domain controllers belong to this site until you create additional sites and move them.

Active Directory Sites and Services console showing the Sites folder selected in the left panel with the Default-First-Site-Name entry visible, and the right-click context menu with New Site highlighted
Opening Active Directory Sites and Services – right-click the Sites folder and select New Site to begin creating the topology

Step 1 – Create the New York Site

Right-click the Sites folder and select New Site. In the dialog, enter New York as the site name. Select Default-IP-Site-Link as the link for now – we will replace these with properly configured site links in Part 3. Click OK. A confirmation dialog notes that you should add subnets and move DCs to the new site; click OK to dismiss it.

Step 2 – Create Dallas and Birmingham Sites

Repeat the process to create the Dallas and Birmingham sites, each using the Default-IP-Site-Link. After creating all three, they appear in the Sites folder alongside Default-First-Site-Name.

New Site dialog with New York entered as the site name and Default-IP-Site-Link selected, followed by the confirmation that the site was successfully created, and a second New Site dialog creating Dallas
Creating the New York and Dallas sites – repeat for Birmingham using the same Default-IP-Site-Link selection
Active Directory Sites and Services showing all three new sites - New York, Dallas, and Birmingham - in the Sites folder, with a note that domain controllers should be moved to their respective sites
All three sites created – the next step is to move each domain controller into its correct site

Part 2 – Move Domain Controllers to Their Sites

Domain controllers assigned to the wrong site will cause clients to authenticate against a geographically distant DC, increasing latency and reducing performance. To move a DC: expand its current site → expand Servers → right-click the domain controller → select Move → choose the target site. Repeat for each DC in your environment.

Part 3 – Create Site Links

Site links define the connections between your sites and control how replication traffic flows between domain controllers. In the Inter-Site Transports node you have two transport options:

  • SMTP – historically used for email-based replication in early AD versions; obsolete for modern environments
  • IP – the standard and recommended protocol for all Active Directory replication between sites

Right-click IP and select New Site Link to create each link.

Active Directory Sites and Services showing the Inter-Site Transports section with IP and SMTP options, and the New Site Link dialog creating the Dallas-5MB-New York link with Dallas and New York added to the link
Creating the first site link – use IP transport and add the two sites that this link connects

Step 3 – Create Three Site Links

Create the following three site links, each using the IP transport:

  • Dallas-5MB-New York – connects Dallas and New York (primary replication path)
  • New York-2EMB-Birmingham – connects New York and Birmingham (secondary path)
  • BRN-512K-Dallas – connects Birmingham and Dallas (failover path)

For each link: right-click IP → New Site Link → enter the name → add both sites from the list → click OK.

Two New Site Link dialogs - one creating BRN-512K-Dallas with Birmingham and Dallas added, and the completed IP section showing all three site links listed: Dallas-5MB-New York, New York-2EMB-Birmingham, and BRN-512K-Dallas
All three site links created and visible in the IP section of Inter-Site Transports

Part 4 – Configure Site Link Costs and Replication Interval

Site link cost tells Active Directory which replication paths to prefer. Lower cost = higher priority. By assigning different costs we create a primary path, a secondary path, and a failover path:

  • Dallas-5MB-New York: Cost 25 – primary replication path (fast, high-bandwidth link)
  • New York-2EMB-Birmingham: Cost 100 – secondary path
  • BRN-512K-Dallas: Cost 400 – failover path (used only if primary paths are unavailable)

To set the cost: navigate to Inter-Site Transports → IP, double-click the site link, locate the Cost field, change the value, and click OK. Repeat for each link.

Site Link properties dialog for Dallas-5MB-New York showing the Cost field changed to 25 and the Replication interval field, with the IP section in the background showing all three site links with their updated costs
Setting the cost on each site link – lower cost routes are preferred by Active Directory for replication traffic

Part 5 – Configure the Replication Schedule

The replication interval controls how frequently replication occurs between sites connected by a link. The default is 180 minutes (3 hours). In most environments this is acceptable, but you can reduce it for near-real-time replication or increase it to reduce bandwidth usage on expensive WAN links.

Configure the Replication Schedule Window

In addition to the interval, you can configure a schedule that restricts which hours replication is permitted. To access it: double-click a site link → click Change Schedule. The grid shows every hour of every day – all green by default (replication allowed at all times). Click and drag to select specific hours, then click Replication Not Available to block replication during those periods (for example, during peak business hours on a congested WAN link).

Site Link properties dialog showing the replication interval set to 180 minutes and the Change Schedule button, alongside the schedule grid with green blocks representing hours when replication is allowed
The replication schedule grid – block specific hours by selecting them and setting Replication Not Available, leaving all other times open

Part 6 – Configure Subnets

Subnets are the critical link between your IP addressing scheme and your AD site topology. When a client device contacts a domain controller, Active Directory checks the client’s IP address against the subnet-to-site mappings to determine which site the client belongs to, then directs it to a DC in the nearest site. Without subnet mappings, all clients are treated as if they belong to the default site.

Subnet Rules

  • A subnet can only be associated with one site
  • A site can have one or more subnets
  • Subnets must not overlap across sites
  • Both IPv4 and IPv6 subnets are supported

Step 4 – Create Subnets for Each Site

In Active Directory Sites and Services, right-click the Subnets folder in the left panel and select New Subnet. Enter the IP address range in CIDR notation and select the associated site from the dropdown.

Active Directory Sites and Services showing the Subnets folder with the right-click New Subnet option, and the New Object - Subnet dialog with an IP address range entered and the site association dropdown showing New York selected
Creating a new subnet and associating it with the New York site – repeat for Dallas and Birmingham

Create the following three subnets, one per site:

  • 192.168.1.0/24 → New York
  • 192.168.2.0/24 → Dallas
  • 192.168.3.0/24 → Birmingham
New Object - Subnet dialog showing 192.168.3.0/24 entered with Birmingham selected as the associated site, and the completed Subnets folder showing all three subnets listed and mapped to their respective sites
All three subnets created and associated – DNS can now direct clients to the nearest domain controller based on their IP address

Part 7 – Site Link Bridging

Site link bridging is an Active Directory feature that automatically allows all site links to communicate transitively – meaning if Dallas can reach New York, and New York can reach Birmingham, then Dallas can also replicate with Birmingham through New York without a direct site link between them. Bridging is enabled by default.

Active Directory Sites and Services showing the IP transport node with subnet and site link configurations, and explanatory notes about site link bridging being enabled by default allowing transitive replication between all sites
Site link bridging is enabled by default – replication can flow transitively through intermediate sites without direct links

When to Disable Site Link Bridging

In most environments, leave bridging enabled. Consider disabling it only when:

  • You have limited bandwidth or complex network topologies where you need precise control over which sites replicate directly
  • You are implementing a hub-and-spoke topology where branch sites should only replicate through the hub, not with each other

How to Disable Site Link Bridging

Navigate to Inter-Site Transports → IP, right-click IP → Properties. Uncheck Bridge All Site Links and click OK. This disables automatic bridging for all IP site links simultaneously.

Creating a Custom Site Link Bridge

After disabling automatic bridging, you can manually define which site links are bridged. Right-click IP and select New Site Link Bridge. Name the bridge, add the specific site links you want to bridge together, and click OK. This gives you granular control over replication paths without enabling full transitive bridging.

IP Properties dialog with Bridge All Site Links checkbox highlighted, and the New Site Link Bridge dialog showing a custom bridge being created with specific site links added to control replication paths
Disabling automatic bridging and creating a custom site link bridge for granular replication path control

Verifying the Configuration

After completing all steps, Active Directory automatically updates DNS with the site topology information. The DNS server learns which subnets belong to which sites, ensuring DNS queries from clients are resolved to the nearest domain controller. You can verify this in Server Manager – the dashboard should show no critical alerts, and Active Directory Sites and Services should reflect all sites, site links, subnets, and any site link bridges you have created.

Server Manager Dashboard and Active Directory Sites and Services showing the completed three-site topology with New York, Dallas, and Birmingham sites, all three site links, and the subnet associations configured
The completed topology – three sites, three site links with prioritized costs, subnets mapped to each site, and DNS updated automatically

Important Considerations

Site Link Cost vs. Bandwidth

The cost value is not automatically derived from the actual link bandwidth – it is an administrative value that you assign based on your network topology. A common convention is to assign lower costs to higher-bandwidth links, but you can use any numeric values that represent your intended replication priority. The key is relative ordering: cost 25 is preferred over cost 100, which is preferred over cost 400.

Default-First-Site-Name

Do not forget to rename or decommission Default-First-Site-Name if you no longer need it. Any domain controller or subnet not explicitly assigned to a site is automatically placed here, which can cause routing confusion if left unmanaged. Rename it to a meaningful location name, or ensure all DCs and subnets are explicitly assigned to the correct sites.

Subnet Overlap

Each IP subnet must be unique across all sites – overlapping subnets cause unpredictable DC referral behavior. Use /24 subnets or larger masks to clearly delineate site boundaries, and document your subnet-to-site mapping in your network design documentation.

Tags: #Active Directory #AD Sites #DNS #Replication #Windows Server

Related Articles

Leave a Reply