How to Configure Multi-Site Active Directory on Windows Server 2019

Introduction to Multi-Site Active Directory

Active Directory Sites and Services controls how domain controllers replicate directory information across geographically distributed locations. A properly designed multi-site AD topology ensures efficient replication between data centers, controls client login traffic so that workstations authenticate against local domain controllers rather than remote ones, and defines site link costs to reflect actual network bandwidth and latency. Windows Server 2019 domain controllers participate in this topology the same as previous versions—the configuration is at the forest/domain level.

Core Concepts: Sites, Subnets, and Site Links

An AD Site represents a well-connected network location (typically a data center or office with a fast, reliable LAN). Subnets are IP ranges associated with each site so that the KCC (Knowledge Consistency Checker) and clients can determine which site they belong to. Site Links define the network connections between sites and carry attributes including cost (lower = preferred) and replication schedule and interval.

Step 1: Create Sites

Import-Module ActiveDirectory

# View existing sites
Get-ADReplicationSite -Filter *

# Create additional sites
New-ADReplicationSite -Name 'London-DC1'    -Description 'London Primary Data Center'
New-ADReplicationSite -Name 'Frankfurt-DC1' -Description 'Frankfurt Data Center'
New-ADReplicationSite -Name 'Singapore-AP1' -Description 'Singapore APAC Hub'
New-ADReplicationSite -Name 'NewYork-DC1'   -Description 'New York Primary Data Center'

# Rename the default first site
Get-ADReplicationSite -Identity 'Default-First-Site-Name' | Rename-ADObject -NewName 'HQ-Dallas'

Step 2: Create and Associate Subnets

# Create subnets and associate with sites
New-ADReplicationSubnet -Name '10.10.0.0/16'  -Site 'HQ-Dallas'     -Location 'Dallas HQ'
New-ADReplicationSubnet -Name '10.20.0.0/16'  -Site 'London-DC1'    -Location 'London UK'
New-ADReplicationSubnet -Name '10.30.0.0/16'  -Site 'Frankfurt-DC1' -Location 'Frankfurt Germany'
New-ADReplicationSubnet -Name '10.40.0.0/16'  -Site 'Singapore-AP1' -Location 'Singapore'
New-ADReplicationSubnet -Name '10.50.0.0/16'  -Site 'NewYork-DC1'   -Location 'New York'

# Verify subnet-to-site assignments
Get-ADReplicationSubnet -Filter * | Select-Object Name, Site, Location

# Check if a specific IP address maps to a site (useful for troubleshooting)
nltest /DSADDRESSTOSITE:10.20.5.30

Step 3: Create Site Links

Site links define the paths between sites. Cost and replication interval should reflect the actual WAN link quality. Lower cost = more preferred path. Replication interval defines how often incremental replication occurs over the link (default is 180 minutes; set to 15 minutes for fast WAN links):

# View existing site links
Get-ADReplicationSiteLink -Filter * | Select-Object Name, Cost, ReplicationFrequencyInMinutes, SitesIncluded

# Create hub-and-spoke site links (HQ as the hub)
New-ADReplicationSiteLink -Name 'HQ-Dallas--London-DC1' `
    -SitesIncluded @('HQ-Dallas','London-DC1') `
    -Cost 10 `
    -ReplicationFrequencyInMinutes 15 `
    -Description 'MPLS 1Gbps link Dallas to London'

New-ADReplicationSiteLink -Name 'HQ-Dallas--Frankfurt-DC1' `
    -SitesIncluded @('HQ-Dallas','Frankfurt-DC1') `
    -Cost 10 `
    -ReplicationFrequencyInMinutes 15 `
    -Description 'MPLS 1Gbps link Dallas to Frankfurt'

New-ADReplicationSiteLink -Name 'HQ-Dallas--Singapore-AP1' `
    -SitesIncluded @('HQ-Dallas','Singapore-AP1') `
    -Cost 25 `
    -ReplicationFrequencyInMinutes 30 `
    -Description 'Internet VPN 100Mbps Dallas to Singapore'

New-ADReplicationSiteLink -Name 'HQ-Dallas--NewYork-DC1' `
    -SitesIncluded @('HQ-Dallas','NewYork-DC1') `
    -Cost 5 `
    -ReplicationFrequencyInMinutes 15 `
    -Description 'Dark fiber 10Gbps Dallas to New York'

# Enable change notification on fast site links (no need to wait for interval)
# This makes replication occur within seconds of a change on fast WAN links
Set-ADReplicationSiteLink -Identity 'HQ-Dallas--London-DC1' `
    -OtherAttributes @{'options'=1}  # 1 = change notification enabled

Set-ADReplicationSiteLink -Identity 'HQ-Dallas--NewYork-DC1' `
    -OtherAttributes @{'options'=1}

Step 4: Configure Site Link Bridges

By default, AD automatically bridges all site links (site link transitivity). If your WAN topology is not fully transitive (e.g., you cannot route directly from Frankfurt to Singapore), disable automatic bridging and create explicit bridges:

# Disable automatic site link bridging at the transport level
$ipTransport = Get-ADReplicationSiteLinkBridge -Filter * -ErrorAction SilentlyContinue
Set-ADReplicationSiteTransport -Identity 'IP' -SiteLinksBridged $false

# Create explicit bridges for allowed transitivity paths
New-ADReplicationSiteLinkBridge -Name 'EMEA-Bridge' `
    -SiteLinksIncluded @('HQ-Dallas--London-DC1','HQ-Dallas--Frankfurt-DC1') `
    -InterSiteTransportProtocol IP

New-ADReplicationSiteLinkBridge -Name 'APAC-Bridge' `
    -SiteLinksIncluded @('HQ-Dallas--Singapore-AP1') `
    -InterSiteTransportProtocol IP

Step 5: Move Domain Controllers to Their Sites

# Move existing domain controllers to the correct sites
# Get all DCs and their current site
Get-ADDomainController -Filter * | Select-Object Name, Site, IPv4Address

# Move a DC to its correct site (changes the computer account's siteObject attribute)
Move-ADDirectoryServer -Identity 'DC-LONDON01' -Site 'London-DC1'
Move-ADDirectoryServer -Identity 'DC-FRANKFURT01' -Site 'Frankfurt-DC1'
Move-ADDirectoryServer -Identity 'DC-SINGAPORE01' -Site 'Singapore-AP1'

# Verify after move
Get-ADDomainController -Filter * | Select-Object Name, Site | Sort-Object Site

# Trigger KCC to recalculate replication topology
repadmin /kcc

Step 6: Install New Windows Server 2019 DCs in Remote Sites

# Install AD DS role on a new Windows Server 2019 server in London
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote as an additional DC in an existing domain, targeting the London site
Install-ADDSDomainController `
    -DomainName 'corp.local' `
    -SiteName 'London-DC1' `
    -InstallDns $true `
    -Credential (Get-Credential 'CORPAdministrator') `
    -DatabasePath 'D:NTDS' `
    -LogPath 'D:NTDS' `
    -SysvolPath 'D:SYSVOL' `
    -Force $true

# After promotion, verify the new DC is in the correct site
Get-ADDomainController -Identity 'DC-LONDON01' | Select-Object Name, Site

# Verify replication is working from/to the new DC
repadmin /showrepl DC-LONDON01
repadmin /replsummary

Monitoring and Troubleshooting Multi-Site Replication

# Show replication summary for all DCs
repadmin /replsummary

# Show replication partners for a specific DC
repadmin /showrepl DC-DALLAS01

# Show replication queue (pending changes)
repadmin /queue DC-LONDON01

# Check for replication failures
repadmin /showrepl * /csv > C:Reportsreplication.csv

# Check KCC's generated connection objects
Get-ADReplicationConnection -Filter * | Select-Object Name, ReplicateFromDirectoryServer, ReplicateToDirectoryServer

# Force immediate replication of a specific naming context
repadmin /syncall DC-LONDON01 'DC=corp,DC=local' /Ade

# Check DNS SRV records (clients use these to find DCs for their site)
# _ldap._tcp.London-DC1._sites.dc._msdcs.corp.local
Resolve-DnsName -Name '_ldap._tcp.London-DC1._sites.dc._msdcs.corp.local' -Type SRV

# Test site coverage - which DC does a client in London connect to?
nltest /dsgetsite  # run on a London workstation - should return 'London-DC1'
nltest /dsgetdc:corp.local /site:London-DC1

Configuring Preferred Bridgehead Servers

# Designate a specific DC as the preferred bridgehead for site link replication
# (avoid automatic selection which can choose any DC including RODCs)
$dc = Get-ADDomainController -Identity 'DC-DALLAS01'
Set-ADReplicationSiteLink -Identity 'HQ-Dallas--London-DC1' `
    -OtherAttributes @{'bridgeheadTransportList'=@($dc.NTDSSettingsObjectDN)}

# Set preferred bridgehead via Sites and Services MMC:
# Sites > HQ-Dallas > Servers > DC-DALLAS01 > NTDS Settings
# Right-click > Properties > Add preferred bridgehead transports

Conclusion

A properly configured multi-site Active Directory topology on Windows Server 2019 ensures that clients always authenticate against local domain controllers, that replication frequency matches WAN link capacity, and that the KCC builds an efficient replication graph. By carefully designing sites, subnets, site links with appropriate costs and intervals, and promoting domain controllers in each physical location, administrators deliver reliable, low-latency authentication and directory services to globally distributed users and systems.