Most single-office AD deployments never open the active directory sites and services console. The default configuration — one site, no site links — handles everything automatically, and that’s correct. The problem starts when a second office comes online.
Without correct site and subnet configuration, clients in the branch authenticate against DCs in headquarters, crossing the WAN for every Kerberos ticket. Replication runs on no schedule. New DCs land in the wrong site and stay there until someone notices. None of this produces an immediate error — just slow logins and replication lag that gets blamed on the WAN link before anyone checks the topology.
Active directory sites and services is the MMC console where you define the physical-to-logical mapping that controls replication behavior and DC selection. This article covers the components, the configuration decisions, and the verification workflow.
- Single office, single subnet: one site, nothing to configure. Default setup is correct.
- Multiple offices with a WAN between them: each office needs its own site, subnets assigned, and a site link with defined cost and interval.
- Clients prefer DCs in their own site for authentication — but only if subnet assignments tell AD which site the client belongs to.
- After any Sites and Services change: verify with
nltest /dsgetdcandrepadmin /showreplbefore assuming it worked.
What Is a Site in Active Directory?
In Active Directory, a “site” is a named group of well-connected IP subnets — typically a physical office or datacenter with fast internal connectivity. The word “site” has nothing to do with the domain or forest structure. A single domain can span multiple sites, and a single site can contain DCs from multiple domains.
The distinction that matters operationally: intrasite replication is automatic and triggered by changes, with no configurable schedule. Inter-site replication is controlled by site links you define — with explicit cost and interval values. Without site configuration, AD treats everything as intrasite, which is correct for one office and wrong when a WAN link enters the picture.
For a single-office environment with one contiguous IP range: one site, no action required. The default “Default-First-Site-Name” handles everything correctly. Creating additional sites without a WAN boundary adds administrative overhead with no operational benefit.
Active Directory Sites and Services Components
| Component | What it controls |
|---|---|
| Site | Named logical grouping of subnets (e.g., “HQ”, “London”) |
| Subnet | IP range associated with a site — the key to DC locator behavior |
| Site Link | Connection between two or more sites — defines cost and replication interval |
| Site Link Bridge | Controls transitive replication paths; automatic by default |
| NTDS Site Settings | Per-site KCC configuration; rarely modified directly |
The KCC (Knowledge Consistency Checker) runs on every DC and automatically builds the replication topology based on site and site link configuration. It recalculates every 15 minutes by default. Changes to active directory sites and services don’t take effect instantly — the KCC needs to run and propagate the updated topology first. In practice, expect 15–30 minutes before changes are visible in replication behavior.
This timing catches operators off guard. You create a site, assign subnets, configure a site link — and replication doesn’t change immediately. The correct response is to wait for the next KCC cycle, then verify. Not to reconfigure and wait again.
Global Catalog Placement in Multi-Site Environments
In multi-site deployments, consider whether each site needs a local Global Catalog server. Without a nearby GC, logon processes and directory searches may cross the WAN even when authentication itself occurs against a local DC. For branch offices with more than a handful of users, a local DC promoted with the Global Catalog role is usually the right call.
How DC Locator Uses Site Information
DC locator is the process clients use to find a domain controller for authentication. Site configuration is what makes DC locator prefer local DCs over remote ones.
When a client starts the logon process, it determines its site based on the IP subnet assigned in active directory sites and services. The client then:
- Queries DNS for a DC with a site-specific SRV record matching its site.
- Attempts authentication against a local DC from that site.
- Falls back to any available DC only if no local DC is reachable or no site match exists.
The site is not manually configured on clients — it’s calculated automatically from the client IP address against the subnet objects stored in AD. This is why subnet assignments matter more than the site names themselves. A correctly named site with no subnets assigned to it does nothing useful for DC locator.
Site coverage handles the edge case where a site has clients but no DC. AD automatically assigns the nearest DC from another site to service authentication requests for that site. Site coverage prevents authentication failures but shouldn’t be treated as a design strategy — large branch offices benefit from a local DC regardless.
When to Create Additional Sites
Create a new site when a WAN link separates DCs or clients from the main office. Don’t create sites for VLANs on the same LAN — VLANs are routing boundaries, not replication boundaries. A DC on VLAN 20 and a DC on VLAN 10 connected by a Layer 3 switch on gigabit links don’t need separate sites in active directory sites and services.
| Scenario | Correct configuration |
|---|---|
| Single office, multiple VLANs | One site — no additional configuration |
| Head office + branch over MPLS | Two sites, one site link |
| Head office + branch with primary + 4G backup | Two sites, two site links — different costs |
| Three offices, hub-and-spoke WAN | Three sites, site links matching WAN topology |
Configuring Sites, Subnets, and Site Links
Create a New Site
# Create the new site
New-ADReplicationSite -Name "London"
# Verify
Get-ADReplicationSite -Filter *
The site appears in the active directory sites and services console immediately. No replication traffic moves through it until subnets and a site link are configured.
Assign Subnets to Sites
# Assign subnet to the new site
New-ADReplicationSubnet -Name "10.1.0.0/24" -Site "London"
# Assign HQ subnet explicitly if not already defined
New-ADReplicationSubnet -Name "192.168.1.0/24" -Site "Default-First-Site-Name"
# Verify assignments
Get-ADReplicationSubnet -Filter * | Select-Object Name, Site
Every subnet that contains DCs or clients must be assigned to a site. Unassigned subnets don’t cause immediate failures — they produce Event ID 1311 in the Directory Service log and silently break site-based DC locator for all clients in that range.
A branch office DC is promoted before its subnet is added to active directory sites and services. The DC registers in the default site (HQ). Clients in the branch have no site match, so DC locator sends authentication requests to both branch and HQ DCs without preference. On a congested WAN link, logins become noticeably slow during peak hours. The Directory Service log on every DC logs Event ID 1311. The fix — adding the missing subnet — takes two minutes. Diagnosing the cause typically takes much longer.
Configure Site Link Cost and Replication Interval
# Create a site link between HQ and London
New-ADReplicationSiteLink -Name "HQ-London" `
-SitesIncluded "Default-First-Site-Name","London" `
-Cost 100 `
-ReplicationFrequencyInMinutes 180
# Verify
Get-ADReplicationSiteLink -Filter * | Select-Object Name, Cost, ReplicationFrequencyInMinutes
Site link cost is a relative value — the default is 100. Lower cost means preferred path. With two site links at different costs (MPLS at 100, 4G backup at 400), the KCC routes replication over the lower-cost link automatically.
| Link type | Suggested cost |
|---|---|
| LAN / MPLS primary | 100 |
| MPLS secondary or broadband stable | 150–200 |
| Broadband variable quality | 200–300 |
| 4G / unreliable backup | 400–500 |
Replication interval: The default 180 minutes means password resets and group membership changes can take up to 3 hours to reach branch DCs. For most SMB environments this is acceptable. If same-day propagation matters, lower to 60 minutes. Don’t go below 15 minutes — that’s the protocol minimum, and aggressive intervals on unreliable WAN links generate replication failures that look serious but are caused by the interval choice itself.
Verifying the Configuration
Active directory sites and services changes don’t self-report success. Run these checks after any topology change.
- Confirm subnet-to-site assignment:
Get-ADReplicationSubnet -Filter * | Select-Object Name, Site— every DC and client subnet must be listed with the correct site. - Confirm DC is in the correct site:
nltest /dsgetdc:ad.contoso.com /site:London— output must show a DC in the London site, not Default-First-Site-Name. - Check replication status:
repadmin /showrepl— inter-site replication should show expected partners and a recent last-replication timestamp. - Check for replication failures:
Get-ADReplicationFailure -Scope Site— any errors here indicate a misconfigured site link or unreachable partner DC. - Check for Event ID 1311: Event Viewer → Windows Logs → Directory Service → filter for 1311. Any 1311 events indicate subnets without site assignments — find and add them.
If nltest /dsgetdc returns a DC in the wrong site, the client subnet isn’t assigned correctly. Start there before looking at site link configuration.
Quick Troubleshooting Reference
| Symptom | Likely cause | First check |
|---|---|---|
| Users authenticate against remote DCs | Missing subnet assignment | Get-ADReplicationSubnet — verify subnet is assigned |
| New DC appears in Default-First-Site-Name | Site not configured before DC promotion | Move DC to correct site in ADSS console |
| Event ID 1311 in Directory Service log | Subnet not assigned to any site | Add missing subnet in active directory sites and services |
| Replication follows wrong WAN path | Site link costs not set correctly | Get-ADReplicationSiteLink — review cost values |
| Password changes take hours at branch | Replication interval too high | Lower interval on site link — verify with repadmin /showrepl |
Common Mistakes
All DCs land in the default site after adding a branch. This happens when the branch DC is promoted before its subnet is configured in active directory sites and services. Fix: add the subnet, then move the DC to the correct site using the ADSS console or Move-ADDirectoryServer. Don’t leave it — replication and DC locator behavior will be wrong for every client in that subnet.
Subnet ranges overlap between sites. If 10.1.0.0/16 is assigned to HQ and 10.1.5.0/24 is assigned to London, AD matches the more specific subnet — but overlapping definitions create confusion and future misassignment risk. Keep subnet definitions clean and non-overlapping.
Site link cost left at 100 for every link. With two site links at equal cost, the KCC picks arbitrarily. On a hub-and-spoke topology this can route replication over a slow branch link instead of the MPLS backbone. Set cost values deliberately based on link quality.
Lowering the replication interval below 60 minutes on an unreliable WAN. Aggressive intervals on unreliable links generate Event ID 1925 and 2087 failures, which look serious but are a consequence of the interval choice. On an unreliable link, a longer interval is more reliable than a short one.
FAQ
Do I need to configure Active Directory Sites and Services for a single-office setup?
No. The default single-site configuration is correct. Creating additional sites without a WAN boundary adds administrative overhead with no operational benefit.
What happens if I don’t assign subnets to sites?
Clients can’t determine which site they belong to, so DC locator falls back to any available DC regardless of location. On a WAN-connected branch, this means authentication crosses the WAN unnecessarily. Event ID 1311 appears in the Directory Service log on every DC in the environment.
How long do Sites and Services changes take to take effect?
The KCC runs every 15 minutes by default. After the KCC recalculates and the topology propagates, changes are active. Expect 15–30 minutes in a two-site environment.
What is the minimum replication interval between sites?
15 minutes. The protocol doesn’t support lower values.
What is site coverage in Active Directory?
If a site has clients but no DC, AD automatically assigns the nearest DC from another site to handle authentication for that site. Site coverage prevents authentication failures in this scenario, but it’s not a design strategy — a large branch office should have a local DC.
Can a site link include more than two sites?
Yes. A site link can include multiple sites, and all of them replicate with each other over that link at the defined cost and interval. Whether to use one multi-site link or separate per-pair links depends on your WAN topology. Hub-and-spoke maps naturally to a hub site link; full-mesh topologies are better served by individual links.
Final Thoughts
For most SMB deployments, active directory sites and services is a one-time configuration task. Add the sites, assign the subnets, set site link costs — and it runs without further intervention.
The operators who skip this step aren’t making a visible mistake on day one. They’re creating a diagnostic problem for the day a branch office goes live, logins slow down during peak hours, and nobody connects slow authentication to AD topology. The subnet assignment step takes two minutes. Diagnosing the root cause after the fact consistently takes much longer.
Active directory sites and services is the physical-to-logical mapping that the rest of the AD infrastructure depends on for efficient operation. For the domain and forest structure that sites sit within, see Active Directory structure explained. For replication failures after the topology is configured, the Active Directory replication troubleshooting guide covers diagnostic workflows in detail. For the full technical reference on KCC topology building, Microsoft’s Active Directory Replication Concepts is the authoritative source. The Understanding Active Directory Site Topology documentation covers site link bridge behavior and transitive replication paths. For the nltest and repadmin reference, see Microsoft’s AD replication diagnostics reference.
Active Directory Series
14 articles — Windows Server 2025 · Forest & Domain · FSMO · GPO · Replication · DNS