How to Configure Multi-Site Active Directory on Windows Server 2016

Introduction

A multi-site Active Directory deployment on Windows Server 2016 maps your physical network topology onto AD Sites and Services, ensuring that domain controllers authenticate users with the nearest DC rather than sending login traffic across slow WAN links. AD Sites control replication traffic, Kerberos referrals, and Group Policy application. This guide covers designing and deploying a multi-site AD infrastructure with site links, site link bridges, and strategically placed domain controllers.

Understanding AD Sites and Replication

Each AD site represents a well-connected TCP/IP subnet. Domain controllers within a site replicate using high-frequency intra-site replication (every 15 seconds by default). Domain controllers in different sites replicate on a schedule via site links, which define the cost, frequency, and replication window. The KCC (Knowledge Consistency Checker) automatically builds the replication topology based on site links.

Creating Sites and Subnets

# Create sites for each physical location
New-ADReplicationSite -Name 'London-HQ'
New-ADReplicationSite -Name 'Manchester-DR'
New-ADReplicationSite -Name 'Edinburgh-Branch'

# Associate IP subnets with each site
New-ADReplicationSubnet -Name '10.0.1.0/24' -Site 'London-HQ' -Location 'London, UK'
New-ADReplicationSubnet -Name '10.0.2.0/24' -Site 'Manchester-DR' -Location 'Manchester, UK'
New-ADReplicationSubnet -Name '10.0.3.0/24' -Site 'Edinburgh-Branch' -Location 'Edinburgh, UK'

# Verify site assignments
Get-ADReplicationSite -Filter * | Select-Object Name,Location
Get-ADReplicationSubnet -Filter * | Select-Object Name,Site

Configuring Site Links

# Create site links with cost and replication interval
New-ADReplicationSiteLink -Name 'London-Manchester' `
    -SitesIncluded @('London-HQ','Manchester-DR') `
    -Cost 100 -ReplicationFrequencyInMinutes 180 `
    -InterSiteTransportProtocol IP

New-ADReplicationSiteLink -Name 'London-Edinburgh' `
    -SitesIncluded @('London-HQ','Edinburgh-Branch') `
    -Cost 200 -ReplicationFrequencyInMinutes 360 `
    -InterSiteTransportProtocol IP

# Enable change notification on site links for faster replication
$link = Get-ADReplicationSiteLink -Identity 'London-Manchester'
Set-ADObject -Identity $link -Replace @{options=1}

Placing Domain Controllers in Each Site

# Move a DC to its correct site
Move-ADDirectoryServerOperationMasterRole is done via AD Sites and Services
# Or with PowerShell: move the server object to the correct site
Get-ADDomainController -Identity 'MAN-DC01' |
    Move-ADObject -TargetPath 'CN=Servers,CN=Manchester-DR,CN=Sites,CN=Configuration,DC=contoso,DC=com'

# Verify DC site placement
Get-ADDomainController -Filter * | Select-Object Name,Site,IPv4Address

# Install AD DS on a new DC in the Manchester site
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController `
    -DomainName 'contoso.com' `
    -SiteName 'Manchester-DR' `
    -Credential (Get-Credential) `
    -InstallDns:$true `
    -NoRebootOnCompletion:$false -Force

Configuring Global Catalog and FSMO Roles

# Enable Global Catalog on the Manchester DC (recommended for multi-site)
Set-ADObject -Identity (Get-ADDomainController 'MAN-DC01').NTDSSettingsObjectDN `
    -Replace @{'options'='1'}

# View current FSMO role holders
netdom query fsmo

# Transfer PDC Emulator to local site DC (reduces WAN latency for time sync)
Move-ADDirectoryServerOperationMasterRole -Identity 'MAN-DC01' -OperationMasterRole PDCEmulator

Monitoring Replication Health

# Check replication status across all DCs
repadmin /replsummary
repadmin /showrepl

# Check for replication errors
repadmin /showrepl * /errorsonly

# View site topology
repadmin /siteoptions

# Test replication between specific DCs
repadmin /syncall /AdeP 'LDN-DC01'
Get-ADReplicationFailure -Target 'contoso.com' -Scope Domain

Summary

Multi-site Active Directory on Windows Server 2016 optimises authentication, replication, and policy delivery for geographically distributed organisations. By correctly mapping IP subnets to sites, setting appropriate site link costs and schedules, placing DCs and Global Catalog servers in each location, and regularly monitoring replication health, you ensure users always authenticate locally for fast logins and that AD data stays consistent across all sites.