AD Sites & Services

Author by Mitchell Grande

Configuring Active Directory Sites & Services is an important, but sometimes mishandled, part of administering a domain.  The information in Sites & Services is used by AD to create a replication topology, determine which DCs should authenticate clients, and help users connect to applications and services.  Sites & Services being misconfigured can result in increased logon times, poor user experience with some applications, or worse - a tombstoned DC if issues go undetected for too long.  Here, we'll review what the information in Sites & Services is used for, the correct way to set it up, and how to verify that it is configured correctly.

Functions

Primarily, AD Sites & Services provides a way for the administrator of a domain to map the physical layout of the network in a way that Active Directory can understand.  This information is used to help the domain controllers and client machines in the following ways:
  1. DC Replication Topology - Determining which DCs are allowed to replicate with each other and creating a full topology that ensures all DCs can replicate with the rest of the domain.
  2. Client DC Selection - Ensuring that client devices (servers and workstations) choose the nearest DC for authentication and other domain communications
  3. DFS Namespaces - Ensuring that clients requesting access to a DFS Namespace share are accessing the nearest copy of the data when possible
  4. Other Site-Aware Services - Helping client machines communicate with the correct server for applications like Exchange

How to Configure It

Now that we know what the information in AD S&S is used for, we can understand why it's important to configure it correctly.  At its core, the topology you define in AD S&S should match the physical and network topology of your environment.  The topology is made up of the following items:
  1. AD Sites - These are the objects that represent the physical locations of DCs and/or client machines.  Typically, every defined site should have at least one DC, and the sites should match the physical locations the servers are in.  Specifically, servers that are on the same LAN should be in the same site, and servers that are separated by a WAN should be in separate sites.
  2. Subnets - Subnets are the IP ranges that are associated with specific AD sites.  DCs and clients use the subnets you define to determine what site they are in.  For example, if you define a subnet of 192.168.0.0/24 and map it to the US-NYC site, then any server or workstation with an IP address in that network will know it's located in that site.
  3. Site Links - Site links connect 2 or more AD sites together and should match the physical network connections among the sites.  For example, if you have 3 locations that have full connectivity to each other, then you could have a single site link that contains all 3 sites.  This would tell Active Directory and the related services that all locations can and should communicate directly with each other.
The most common issues are within the site links.  It's easy to overlook how the site links should be configured, but it is very important to set them up correctly.  The site links help the KCC (Knowledge Consistency Checker) decide which DCs should be replicating with each other.  The KCC is an automatic function within AD that has multiple tasks, one of which is ensuring that all DCs have suitable replication partners.  AD site links will typically follow one of two patterns:
  1. Full Mesh - In a full mesh topology, all sites are connected to each other over relatively similar link types.  For a full mesh topology, you can have a single site link that contains all of the defined AD sites.
  2. Hub and Spoke - A hub and spoke topology has one or more hub sites and multiple branch sites that communicate only with the nearest hub location.  Typically, the hubs are central datacenters, while the branch sites would be branch office locations or smaller, remote datacenters.
 
ADSS-1.jpg
 
Full mesh topology
All 4 sites connected to each other
ADSS-2.jpg
 
Hub and Spoke topology
Site A is the hub site
Each branch site can only communicate with the hub site
 
The most important part of configuring the site links is ensuring that they match the network connectivity of the sites.  If you create a site link and add sites to it that can't all communicate with each other, you'll likely end up with replication errors.  The KCC assumes that all sites in each site link have full connectivity to each other, and if that isn't the case, you can run into issues.

Checking the Configuration

When reviewing an environment, the following items are looked at to ensure the AD S&S topology is correct:
  1. Do the AD sites match the physical locations of the DCs?
  2. Do the defined subnets map to the correct AD site?
  3. Are there a large number of clients connecting from subnets that aren't defined?  You can check this by looking for event ID 5807 in the system log on each DC.
  4. Do the site links match the physical/network connectivity among the sites?
  5. Are there any KCC errors in the Directory Service event log on each DC?
  6. Is replication working normally across the domain?  This can be tested with the repadmin command and also by watching for any reported issues such as password issues or changes not replicating to certain DCs.
The AD Sites & Services configuration plays a key role in certain Active Directory processes but is often overlooked or not done correctly.  In addition to the above points, there are many more components to the configuration, such as site link costs, site link bridging, and the Bridge All Site Links option.  Overall, ensuring your site topology is correct and there aren't any KCC or replication errors is a great first step to healthy AD replication.
 
For more information about AD Sites & Services, see the official documentation.
Author

Mitchell Grande

Systems Engineer

Tags in this Article