First let’s begin and discuss why one would want to setup sites and services. The main points are as follow:
- Site Group Policy Objects are the second items applied in the GPO hierarchy. (Local, Site, Domain, OU)
- Domain joined computers will query the closest domain controller to them.
- DFS clients can find the closest namespace target to them.
- You can setup a hub and spoke replication method for AD.
I will be working with a 2012 R2 domain controller. First let’s open up server manager and go into Tools > Active Directory Sites and Services.
Now right click sites > click new site.
This will be a logical name for your site and it does not matter what you name it. The link doesn’t matter either so choose the default one.
Next you’ll be greeted by a window saying that there’s more to creating sites than just that, just click OK.
Next right click subnets and create a new subnet, you will need one tied to your site before any site magic happens.
Here we choose the subnet that will be assigned to the site. If your network is 192.168.1.0 255.255.255.255.0 then your subnet will be 192.168.1.0/24.
This will be the network that your clients will live in, it is how they can determine what site they are in, and thus determine which DC they get sent to via queries to DNS, and then LDAP queries to their local DC. In my case my subnet was 10.150.0.0/20 which encompasses the next 16 /24’s. ( I do this because I have VLANs in place and I don’t want to type out 16 different subnets, I can just summarize them. If you’d like to learn about route summation I did a little post on it here.
The next thing we need to do is drop a server in the site so that the KCC can build a replication topology for us, you can do this by finding your default site, drilling all the way down until you see servers. Then right click and click move.
Next is the part that is tricky for most people. For the KCC to build a correct replication topology, you need to configure your IP transport links correctly. If you use something like Meraki MX appliances, simply enabling the split-tunnel full-mesh VPN feature will give you encrypted lan-to-lan over the WAN connectivity. Try saying that last part 5 times. Now to give you a better picture of how this can work I’ve setup a test environment with 4 sites.
In my test environment I have 4 sites with 4 /24 subnets. These sites are connected by a virtual PFsense router and are actually on different VLANs to really emulate the environment of remote offices. Now in my environment each site has full connectivity to the other sites. Thus I can put all of my sites in just one site link and they will replicate with each other. The KCC will choose the best replication topology and I don’t even have to touch anything.
I can leave the cost at 100 because there is only one site link, however I do want replication to occur every fifteen minutes and not the default 180 minutes. If you have a slower wan connection, then it might be in your best interest to increase the replication time. Now if I had a hub and spoke model where all sites connected back to West-Office-HQ and were not fully meshed, I would create 3 separate site links, and put each office in pairs of twos. For example:
West – East
West – North
West – South
This way the KCC would actually make sure the replication hub is the West HQ office. However for testing environments this should suffice.