How to Configure Active Directory Sites and Services on Windows Server 2019

Introduction to Active Directory Sites and Services

Active Directory Sites and Services is a Microsoft Management Console (MMC) snap-in that administrators use to manage the replication topology of Active Directory Domain Services (AD DS). Sites define the physical or logical grouping of well-connected IP subnets. By configuring sites correctly, you control how AD DS replication occurs between domain controllers, optimize logon traffic, and ensure clients authenticate against the nearest domain controller. On Windows Server 2019, Sites and Services plays a critical role in multi-site enterprise environments where bandwidth costs and latency must be managed carefully.

Prerequisites

Before configuring Active Directory Sites and Services, ensure the following prerequisites are met. You must have Windows Server 2019 promoted as a domain controller with AD DS installed. You need Domain Admins or Enterprise Admins membership. You should have a clear network topology diagram identifying physical locations, IP subnets at each location, and available WAN link speeds. Multiple domain controllers should already exist or be planned for replication to be meaningful.

Opening Active Directory Sites and Services

You can open Active Directory Sites and Services from Server Manager or directly from the command line. In Server Manager, click Tools and select Active Directory Sites and Services. Alternatively, run the following command from an elevated PowerShell or Command Prompt session:

dssite.msc

The console displays a tree structure with Sites, Subnets, and Inter-Site Transports as the primary nodes. The default site named Default-First-Site-Name is created automatically when the forest is established.

Renaming the Default Site

Rename the default site to reflect your actual location. Right-click Default-First-Site-Name and choose Rename. Type a descriptive name such as your city or datacenter identifier, for example HQ-Chicago. You can also rename it using PowerShell:

Get-ADReplicationSite -Filter * | Select-Object Name
Rename-ADObject -Identity "CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com" -NewName "HQ-Chicago"

Creating New Sites

To create additional sites representing branch offices or remote datacenters, right-click the Sites node and select New Site. Enter the site name, for example BR-NewYork, and assign a site link object. Each site must be associated with at least one site link. Using PowerShell to create a new site:

New-ADReplicationSite -Name "BR-NewYork"
New-ADReplicationSite -Name "BR-LosAngeles"

Creating and Associating IP Subnets

Subnets define the IP address ranges that belong to each site. When a client or domain controller has an IP address within a defined subnet, AD DS associates that machine with the corresponding site. To create a subnet, right-click the Subnets node and select New Subnet. Enter the network address in CIDR notation, for example 192.168.10.0/24, and select the site to associate it with. Using PowerShell:

New-ADReplicationSubnet -Name "192.168.10.0/24" -Site "HQ-Chicago"
New-ADReplicationSubnet -Name "10.20.0.0/16" -Site "BR-NewYork"
New-ADReplicationSubnet -Name "172.16.5.0/24" -Site "BR-LosAngeles"

Verify subnet creation and associations:

Get-ADReplicationSubnet -Filter * | Select-Object Name, Site

Configuring Site Links

Site links define the network connections between sites and the cost and schedule of replication. The default site link DEFAULTIPSITELINK uses the IP transport and connects all sites. Create dedicated site links for more granular control. In the console, expand Inter-Site Transports, right-click IP, and select New Site Link. Provide a name, add the sites to connect, and configure the cost and replication interval. Lower cost values are preferred during path selection. Using PowerShell:

New-ADReplicationSiteLink -Name "HQ-to-NewYork" -SitesIncluded "HQ-Chicago","BR-NewYork" -Cost 100 -ReplicationFrequencyInMinutes 15
New-ADReplicationSiteLink -Name "HQ-to-LosAngeles" -SitesIncluded "HQ-Chicago","BR-LosAngeles" -Cost 250 -ReplicationFrequencyInMinutes 30

To verify site links:

Get-ADReplicationSiteLink -Filter * | Select-Object Name, Cost, ReplicationFrequencyInMinutes, SitesIncluded

Enabling Site Link Bridging and Change Notification

By default, all site links are bridged, meaning AD DS calculates transitive paths. If your network is not fully routed, disable automatic site link bridging and create site link bridges manually. To disable automatic bridging on the IP transport, right-click IP under Inter-Site Transports and open Properties. Uncheck Bridge all site links. To enable change notification across site links for faster replication of urgent changes such as account lockouts, set the options attribute on the site link:

Set-ADReplicationSiteLink -Identity "HQ-to-NewYork" -OtherAttributes @{'options'=1}

The options value of 1 enables change notification. Value 4 enables compression disable. Combine values as needed.

Moving Domain Controllers to Sites

After creating sites and subnets, move domain controllers to the appropriate site. In the console, expand the site, then expand Servers. If a domain controller appears in the wrong site, right-click it and select Move. Alternatively, use PowerShell. First verify current placement:

Get-ADDomainController -Filter * | Select-Object Name, Site, IPv4Address

Move a domain controller to the correct site by ensuring its IP address falls within a subnet assigned to that site. If necessary, reassign the subnet:

Set-ADReplicationSubnet -Identity "10.20.0.0/16" -Site "BR-NewYork"

Configuring the NTDS Site Settings

Each site has an NTDS Site Settings object that controls the Inter-Site Topology Generator (ISTG) and preferred bridgehead servers. The ISTG is the domain controller responsible for generating the replication topology for a site. To configure preferred bridgehead servers, expand the site, right-click NTDS Site Settings, and open Properties. In the Inter-Site Topology Generator section, the current ISTG is displayed. To designate preferred bridgehead servers via PowerShell:

Set-ADObject -Identity "CN=NTDS Site Settings,CN=HQ-Chicago,CN=Sites,CN=Configuration,DC=contoso,DC=com" -Add @{bridgeheadServerListBL="CN=DC01,CN=Servers,CN=HQ-Chicago,CN=Sites,CN=Configuration,DC=contoso,DC=com"}

Configuring Replication Schedules

Site link replication schedules control when replication is permitted between sites. By default, replication is available 24 hours a day, 7 days a week. To restrict replication to off-peak hours such as 10 PM to 6 AM to conserve bandwidth during business hours, open the site link properties in the console and click Change Schedule. Deselect the hours you want to block. Using repadmin to force replication immediately:

repadmin /syncall /AdeP
repadmin /showrepl
repadmin /replsummary

Monitoring Replication Health

Use the repadmin command-line tool to monitor and troubleshoot replication. Check for replication errors:

repadmin /showrepl * /errorsonly
repadmin /replsummary *
dcdiag /test:replications /v

Use PowerShell to get replication metadata:

Get-ADReplicationFailure -Target "DC01" -Scope Server
Get-ADReplicationPartnerMetadata -Target "DC01" -Partition *

Understanding KCC and Connection Objects

The Knowledge Consistency Checker (KCC) automatically generates connection objects between domain controllers within the same site (intrasite) every 15 minutes. For intersite replication, the ISTG generates connection objects. You can view and manually create connection objects by expanding a domain controller under Servers in its site and then expanding NTDS Settings. Right-click NTDS Settings and select New Active Directory Domain Services Connection to create a manual connection. Manual connections are not removed by the KCC.

Global Catalog Server Placement

Each site should have at least one Global Catalog server to prevent authentication delays. To designate a domain controller as a Global Catalog server, expand the site, expand Servers, expand the domain controller, right-click NTDS Settings, and open Properties. Check Global Catalog. Using PowerShell:

Set-ADObject -Identity "CN=NTDS Settings,CN=DC02,CN=Servers,CN=BR-NewYork,CN=Sites,CN=Configuration,DC=contoso,DC=com" -Replace @{options=1}

Verify Global Catalog servers:

Get-ADDomainController -Filter {IsGlobalCatalog -eq $true} | Select-Object Name, Site

Configuring Universal Group Membership Caching

If a site has only one domain controller and bandwidth is limited, enable Universal Group Membership Caching (UGMC) instead of deploying a full Global Catalog. UGMC allows the domain controller to cache universal group membership information locally so users can log in without querying a remote GC. In the console, right-click NTDS Site Settings for the site and open Properties. Check Enable Universal Group Membership Caching and optionally select a site to refresh the cache from. Using PowerShell:

Set-ADReplicationSite -Identity "BR-LosAngeles" -UniversalGroupCachingEnabled $true -UniversalGroupCachingRefreshSite "HQ-Chicago"

Verifying Site Configuration

After completing the configuration, run a comprehensive verification:

Get-ADReplicationSite -Filter * | Select-Object Name
Get-ADReplicationSubnet -Filter *
Get-ADReplicationSiteLink -Filter *
Get-ADDomainController -Filter * | Select-Object Name, Site, IsGlobalCatalog
nltest /dsgetsite
nltest /dnsgetdc:contoso.com /site:HQ-Chicago

The nltest commands confirm which site the current machine is in and which domain controllers are available in a specific site. Proper Sites and Services configuration is foundational for efficient AD DS operation across distributed enterprise environments on Windows Server 2019.