How to Set Up Windows Server 2016 Active Directory Sites and Services

Active Directory Sites and Services is a Microsoft Management Console snap-in that manages the physical topology of your Active Directory infrastructure. Sites represent the physical locations of your network, and the connections between them define how Active Directory replication traffic flows. Correctly configuring Sites and Services is essential in multi-site organizations to ensure efficient replication, appropriate authentication traffic routing, and optimal use of wide-area network bandwidth.

Understanding Sites, Subnets, and Site Links

A site in Active Directory is a collection of IP subnets that share fast, reliable network connectivity — typically a local area network. Subnets are associated with sites so that domain controllers and clients know which site they belong to. Site links define the connections between sites and carry replication cost and schedule information. The Knowledge Consistency Checker (KCC) uses site link information to automatically build replication topologies.

Opening Active Directory Sites and Services

Open the console via the Run dialog or Server Manager Tools menu:

dssite.msc

The left pane shows Sites at the top level. Under Sites you will find each site with its Domain Controllers listed under the NTDS Settings object, and also the Servers, Licensing Site Settings, and NTDS Site Settings containers.

Creating a New Site

When Active Directory is first installed, a Default-First-Site-Name site is created automatically. For multi-site deployments, create additional sites to represent each physical location. Right-click the Sites container and select New Site. Enter a site name — use a consistent naming convention such as the city or airport code (e.g., NYC, LON, SYD). Select a site link for the new site to connect through, then click OK.

New-ADReplicationSite -Name "NYC" -Description "New York City headquarters"
New-ADReplicationSite -Name "LON" -Description "London branch office"

Creating Subnets and Associating Them with Sites

After creating sites, define the IP subnets that belong to each site. Right-click the Subnets container (under Sites) and select New Subnet. Enter the subnet address in CIDR notation (e.g., 192.168.10.0/24). Select the site to associate with this subnet. Clients and domain controllers use subnet-to-site mapping to determine their site membership, which controls which domain controllers they authenticate against and which GPOs with site-linked GPOs they receive.

New-ADReplicationSubnet -Name "192.168.10.0/24" -Site "NYC" -Description "NYC LAN"
New-ADReplicationSubnet -Name "10.20.0.0/16" -Site "LON" -Description "London office network"

Creating Site Links

Site links define the available network paths between sites. In the Inter-Site Transports container, right-click the IP container and select New Site Link. Enter a name, add the sites to connect, then click OK. Configure the Cost, Replication Interval, and Schedule attributes. Cost represents relative bandwidth; lower cost links are preferred. Replication Interval specifies how often replication occurs over this link (minimum 15 minutes). Schedule defines the time windows during which replication is allowed.

New-ADReplicationSiteLink -Name "NYC-LON" -SitesIncluded NYC,LON -Cost 100 -ReplicationFrequencyInMinutes 15 -InterSiteTransportProtocol IP

Configuring Site Link Properties

After creating a site link, you should review its properties. Right-click the site link and select Properties. The Cost field should reflect the relative bandwidth — use higher values for slower or more expensive WAN links. The Replicate every field controls the interval. Click Change Schedule to define when replication is permitted. For most organizations, allow replication at all times to ensure directory changes propagate quickly. Restrict replication hours only if WAN bandwidth is severely constrained.

Set-ADReplicationSiteLink -Identity "NYC-LON" -Cost 50 -ReplicationFrequencyInMinutes 30

Site Link Bridges

By default, Active Directory treats all site links as transitive — meaning if NYC links to LON and LON links to SYD, NYC can reach SYD through LON without a direct site link. This behavior is controlled by the Bridge all site links option, which is enabled by default. If you need finer control over routing, you can disable automatic bridging and create explicit Site Link Bridge objects to define which site links are transitive. Right-click IP under Inter-Site Transports and select Properties to manage this setting.

Assigning Domain Controllers to Sites

When a domain controller is installed, it is automatically placed in the site whose subnet matches its IP address. If no subnet association exists, it lands in the Default-First-Site-Name site and a warning is logged. To move a domain controller to the correct site, find the server under its current site’s Servers container, right-click it, and select Move. Alternatively, ensure the correct subnet is created and mapped before installing domain controllers at that location.

Move-ADDirectoryServer -Identity "DC02" -Site "LON"

Configuring the NTDS Site Settings

Each site has an NTDS Site Settings object that controls site-specific replication behavior. Right-click NTDS Site Settings under a site and select Properties. The Schedule tab configures the intra-site replication schedule. The Change Schedule button allows you to fine-tune which hours intra-site replication is active. For most sites with high-bandwidth LAN connections, leave the default schedule which allows replication at all times.

Universal Group Membership Caching

In branch office sites that do not have a Global Catalog server, users may experience slow logons because universal group membership must be fetched from a remote GC. Universal Group Membership Caching (UGMC) allows a domain controller at a branch site to cache this information locally after the first lookup, eliminating the need to contact the GC for subsequent logons. Enable UGMC in NTDS Site Settings for branch sites:

# Via ADSI Edit or PowerShell ADSI
$site = [adsi]"LDAP://CN=NTDS Site Settings,CN=LON,CN=Sites,CN=Configuration,DC=corp,DC=local"
$site.Put("options", 1)
$site.SetInfo()

Verifying Replication with Sites and Services

After configuring sites, subnets, and site links, verify the replication topology. In Sites and Services, expand a site’s server, right-click NTDS Settings, and select All Tasks > Check Replication Topology. Also use the following command-line tools:

repadmin /replsummary
repadmin /showrepl
dcdiag /test:replications

Best Practices

Always create subnets before installing domain controllers at new locations to ensure proper site membership. Use meaningful site names that reflect physical locations. Set site link costs that accurately reflect relative bandwidth. Deploy at least one domain controller per site to avoid cross-site authentication traffic during WAN outages. Enable Universal Group Membership Caching on branch-site DCs that do not host a Global Catalog. Monitor replication health regularly with repadmin and dcdiag.

Properly configured Active Directory Sites and Services ensures that replication traffic is controlled, users authenticate against the closest domain controller, and your AD infrastructure remains resilient even during WAN connectivity issues.