5.1 Site Topology

Active Directory uses the term site to mean a collection of subnets that coexist on a local area network (LAN) or metropolitan area network (MAN), i.e., a physical network in a particular location with good connectivity between all sections of that network. Active Directory uses sites to define boundaries of replication around the physical network.

Active Directory replication is very efficient. Only changed attributes are replicated, rather than entire objects, as was the case in Windows NT. And with Windows Server 2003, link-value replication is available for some attributes, so only changed values for a multi-valued attribute are replicated instead of all values. Link-value replication is a much needed feature which was not available in Windows 2000 Active Directory; it is intended to address issues such as the 5,000 member limitation for group objects. Replication also can take place over multiple TCP/IP transports, so that you can find a replication protocol to suit the environment a particular site requires.

The recommended minimum speed for a well-connected network is 1.5 Mbps (i.e., a T1 link). You will see this actual value vary from article to article and book to book, as different people find that their network runs fine over a slower connection speed. We'll cover this later, but the absolute true minimum is around 128 Kbps of available replication bandwidth out of a 256 Kbps total available bandwidth. Your mileage may vary; the only way to determine the best solution in your environment is by testing.

Administrators must create the site topology in Active Directory, as the process is not automatic. The main site-topology objects of interest include the site objects, subnet objects, and site link objects. One of the major uses of the site topology is for clients to find their closest DC. That is why subnet information must be associated with sites. Clients use their IP address to determine which Active Directory subnet they belong to and subsequently which site. The site information can then be used to determine the closest DC.

Once you've set up a site, an Active Directory process called the Knowledge Consistency Checker (KCC) automatically creates and dynamically manages a replication schedule and a set of intrasite (i.e., within a site) replication links among DCs in the site. As you add more DCs, more intrasite links are added automatically. If you were to do nothing more, data would be effectively replicated by Active Directory around your site. When you add your second site, the same automatic intrasite creation mechanisms spring into action, creating links and a replication schedule among the various DCs in this second site. The algorithm that is used adapts as more sites and DCs are added, so that certain built-in criteria are never breached; this assures that the network is always properly replicated. Note, however, that creating a second site does not trigger the system to also automatically create intersite (i.e., between sites) replication links and a replication schedule. Instead, site links that connect two sites have to be created manually. We'll cover the KCC in greater depth later in Chapter 9.

5.1.1 Site and Replication Management Tools

Obviously, as more sites and connections are created, the topology can get very large. Microsoft provides the Active Directory Sites and Services snap-in to help manage the topology. It actually allows you to get right into the guts of the Sites Container, which holds all the site topology objects and connection objects. The Sites Container is located directly under the Configuration Container in the Configuration NC. It would be located in cn=sites,cn=configuration,dc=mycorp,dc=com in the mycorp.com forest. You can create new sites, subnets, and links, set replication schedules for each link, and so on.

Other replication-related tools are available in the Windows Support Tools:


A command-line tool for administering replication.


A graphical utility for managing and monitoring replication.

5.1.2 Why Have Active Directory Sites?

Sites exist to allow clients to find the closest DC, GC, DFS share point, or even an application distribution point (via SMS). Sites don't even have to have any DCs at all in them; a site can be composed entirely of subnets. In this case, clients need to find a DC, preferably in the nearest site. The client actually queries both Active Directory (for cost-based selection of the nearest site) and DNS (using site records that we will go through in Chapter 6). While the details on sites are held in the DNS, the actual topology is held in Active Directory. This topology uses site link costs to determine the proximity of other sites.

With cost-assigned ratings to links and the fact that Active Directory replicates only updated properties rather than entire objects, Active Directory has improved Windows NT's attempts to span domains across WAN links. While under Windows NT, creating a domain across very slow links was next to impossible; with Active Directory it is possible to span domains across very slow links or even links that do not have synchronous connections at all but instead receive and send changes asynchronously via email. In fact, while Active Directory domains can easily be defined to span sites, sites also can hold multiple domains. Remember that a site literally represents an area of good connectivity, but it doesn't dictate how you arrange your domains; the connections between sites do that.

5.1.3 The First Site

When you create the first domain controller of the first domain in a new forest, a default site called Default-First-Site-Name is created, and the domain controller is assigned to it. Subsequently, installed domain controllers are added to this site automatically. Even if you then create multiple sites, new servers are always added to the first site. To change that, you need to assign one or more subnets to each site. That way, any server on a specified subnet is automatically added to the appropriate site.

Adding Subnets to a Site in the Sites and Services Snap-In

When adding subnets to sites via the Sites and Services snap-in, you must enter the name of the subnet in the form network/bits masked; e.g., is network with subnet mask

The bits masked in the subnet name are the number of bits set in the subnet mask for that subnet. It can be between 0 and 31. The subnet mask is made up of 4 octets or bytes (4 sets of 8 bits). To convert the subnet mask to bits, convert each octet from the subnet mask to binary. The subnet mask is 11111111.11111111.11111111.00000000 in binary, which uses 8+8+8 bits (i.e., 24) to define the subnet mask. A subnet mask of would be 11111111.11111111.11111100.00000000, which is 8+8+6 or 22.

If subnets and IP addresses mean very little to you, check out Chuck Semeria's article "Understanding IP Addressing: Everything You Ever Wanted To Know" at http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf.

The Default-First-Site-Name site can be renamed if you wish, but note that site names cannot exceed 63 characters or contain dot (.) or space characters.

    Part II: Designing an Active Directory Infrastructure
    Part III: Scripting Active Directory with ADSI, ADO, and WMI