An understanding of sites, subnets, and site links helps you effectively manage sites and their implementation in Active Directory Domain Services (AD DS).
Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is stored in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on each domain controller.
You do not have to manage connection objects. In fact, changes that you make to connection objects that the KCC creates automatically are ignored.
You can use the Active Directory Sites and Services snap-in to manage the site, subnet, and site link objects that combine to influence the replication topology.
You can also use Active Directory Sites and Services to manage sites in an Active Directory Lightweight Directory Services (AD LDS) configuration set.
It is important to distinguish between sites and domains. Sites represent the physical structure of your network, while domains represent the logical structure of your organization. Site objects and their contents are replicated to all domain controllers in the forest, irrespective of domain or site.
Domain controllers and other servers that use sites publish server objects in AD DS to take advantage of the good network connectivity that sites provide. You place domain controllers into sites according to where the domain data is needed. For example, if no users from a domain are physically located in a site, there is no reason to place a domain controller for that domain in the site.
Sites help facilitate several activities, including:
- Replication. AD DS balances the
need for up-to-date directory information with the need for
bandwidth optimization by replicating information within a site
whenever data is updated and between sites according to a
- Authentication. Site information helps
make authentication faster and more efficient. When a client logs
on to a domain, it first requests a domain controller in its local
site for authentication. By establishing sites, you can ensure that
clients use domain controllers that are nearest to them for
authentication, which reduces authentication latency and traffic on
wide area network (WAN) connections.
- Service location. Other services, such
as Active Directory Certificate Services (AD CS), Exchange
Server, and Message Queuing, use AD DS to store objects that
can use site and subnet information that make it possible for
clients to locate the nearest service providers more easily.
Associating sites and subnets
A subnet object in AD DS groups neighboring computers in much the same way that postal codes group neighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses to the site.
The term "subnet" in AD DS does not have the strict networking definition of the set of all addresses behind a single router. The only requirement for an AD DS subnet is that the address prefix conforms to the IP version 4 (IPv4) or IP version 6 (IPv6) format.
When you add the Active Directory Domain Services server role to create the first domain controller in a forest, a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory, all domain controllers that you add to the forest are assigned to this site. However, if your forest will have multiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to all additional sites.
Assigning computers to sites
Server objects are created in AD DS by applications or services, and they are placed into a site based on their IP address. When you add the Active Directory Domain Services server role to a server, a server object is created in the AD DS site that contains the subnet to which the server's IP address maps. If the domain controller's IP address does not map to any site in the forest, the domain controller's server object is created in the site of the domain controller that provides the replication source for AD DS.
Server objects are not created in Default-First-Site-Name by default unless there are no other sites in the forest.
For a client, site assignment is determined dynamically by its IP address and subnet mask during logon.
Locating domain controllers by site
Domain controllers register service (SRV) resource records in Domain Name System (DNS) that identify their site names. Domain controllers also register host (A) resource records in DNS that identify their IP addresses. When a client requests a domain controller, it provides its site name to DNS. DNS uses the site name to locate a domain controller in that site (or in the next closest site to the client). DNS then provides the IP address of the domain controller to the client for the purpose of connecting to the domain controller. For this reason, it is important to ensure that the IP address that you assign to a domain controller maps to a subnet that is associated with the site of the respective server object. Otherwise, when a client requests a domain controller, the IP address that is returned might be the IP address of a domain controller in a distant site. When a client connects to a distant site, the result can be slow performance and unnecessary traffic on expensive WAN links.
Connecting sites with site links
Networks usually consist of a set of local area networks (LANs) that are connected by WANs. In AD DS, site link objects represent the WAN connections between sites. Whereas replication within a site is triggered automatically when a directory update occurs, replication between sites (over slower, more expensive WAN links) is scheduled to occur every 3 hours. You can change the default schedule to occur during the periods that you specify, and at the intervals that you specify, so that you can control WAN link traffic.