In this chapter, I discuss administration of sites, subnets, site links, and related components. Active Directory sites are used to control directory replication traffic and isolate logon authentication traffic between physical network locations. Every site has one or more subnets associated with it. Ideally, each subnet that is part of a site should be connected by reliable, high-speed links. Any physical location connected over slow or unreliable links should be part of a separate site, and these individual sites are linked to other sites using site links.
When you install the Active Directory directory service in a new forest, a new site called the Default-First-Site-Name is created. As you add additional domains and domain controllers to the forest, these domains and domain controllers are added to this site as they are installed unless you have configured other sites and associated subnets with those sites as necessary.
Administration of sites and subnets involves determining the sites and subnets you need and creating those sites and subnets. All sites have one or more subnets associated with them. It is in fact the subnet assignment that tells Active Directory where the site boundaries are established. As you create additional sites, you might also need to specify which domain controllers are a part of the sites. You do this by moving domain controllers to the site containers with which they should be associated. Thus, the most common administrative tasks for sites involve the following:
Creating sites
Creating subnets and associating them with sites
Moving domain controllers between sites
As part of Active Directory design, discussed in Chapter 35, you must consider whether separate sites are needed. If your organization has multiple locations with limited bandwidth or unreliable connections between locations, you will typically want to create additional sites. In some cases you might also want to create additional sites to separate network segments even if they are connected with highspeed links; the reason for doing this is to isolate logon authentication traffic between the network segments.
To create an additional site, follow these steps:
Start Active Directory Sites and Services by clicking Start, Programs or All Programs, Administrative Tools, and Active Directory Sites And Services.
Tip
Connect to the forest you want to work with
Active Directory Sites and Services is used to view a single forest. If your organization has multiple forests, you might need to connect to another forest. To do this, right-click the Active Directory Sites And Services node in the console tree, and then select Connect To Forest. In the Connect To Forest dialog box, type the name of the root domain in the forest to which you want to connect, and then click OK.
Right-click the Sites container in the console tree, and select New Site. This displays the New Object–Site dialog box, as shown in Figure 39-1.
In the New Object—Site dialog box, type a descriptive name for the site. The site name serves as a point of reference for administrators and should clearly depict the purpose or physical location of the site.
Choose which site link will be used to connect this site to other sites. If the site link you want to use doesn't exist, that's okay—the site must exist before you can create links to it. Select the default site link DEFAULTIPSITELINK for now, and change the site link settings once you've created the necessary site link or links.
When you are ready to continue, click OK. A prompt is displayed detailing the steps you must complete to finish the site configuration. Click OK again. As the prompt details, you should do the following:
Ensure the links to this site are appropriate by creating the necessary site links. The catch in this is that both endpoints in a site link—the sites you want to link—must exist before you can create a site link.
Create subnets and associate them with the site. This tells Active Directory the network addresses that belong to a site.
Each site should have one or more domain controllers. Ideally, this domain controller should also be a global catalog server. Because of this, you should install one or more domain controllers in the site or move existing domain controllers into the site.
You create subnets and associate them with sites to allow Active Directory to determine the network segments that belong to the site. Any computer with an Internet Protocol (IP) address on a network segment associated with a site is considered to be located in the site. A site can have one or more subnets associated with it. Each subnet, however, can be associated with only one site.
You can create a subnet and associate it with a site by completing the following steps:
Start Active Directory Sites and Services by clicking Start, Programs or All Programs, Administrative Tools, and Active Directory Sites And Services.
Right-click the Subnets container in the console tree, and select New Subnet. This displays the New Object—Subnet dialog box, as shown in Figure 39-2.
In the Address field, type the network address for the subnet. Typically, the subnet address ends with a 0, such as 192.168.1.0. If subnetting is used as discussed in Chapter 24, the network address could end in a different value, however.
In the Mask field, type the subnet mask for the network segment. The network address and the subnet mask are used to set the subnet name. The name uses the network prefix notation, which is also referred to as the classless interdomain routing (CIDR) notation. For example, if the network address is 192.168.1.0 and the subnet mask is 255.255.255.0, the subnet name is set to 192.168.1.0/24.
Select the site with which the subnet should be associated, and then click OK. If you ever need to change the site association for the subnet, double-click the subnet in the Subnets folder and then, in the General tab, use the Site selection menu to change the site association.
Once you associate subnets with a site, any domain controllers you install will automatically be located in the site when the IP address subnet matches the domain controller's IP address. Any domain controllers installed before you established the site and associated subnets with it will not, however, be moved to the site automatically. You must do this manually. In addition, if you associate a subnet with a different site, you might need to move domain controllers in that subnet to the new site.
You can move a domain controller to a site by completing the following steps:
Start Active Directory Sites and Services by clicking Start, Programs or All Programs, Administrative Tools, and Active Directory Sites And Services.
Domain controllers associated with a site are listed in the site's Servers node. To locate the domain controller that you want to move, expand the site node, and then expand the related Servers node.
Right-click the domain controller, and then select Move. This displays the Move Server dialog box.
In the Move Server dialog box, select the site that should contain the server, and then click OK.
Note
Another way to move a domain controller from one site to another in Windows Server 2003 is to drag the domain controller from its current site to the new site. But don't move a domain controller to a site arbitrarily. Move a domain controller to a site only if it is on a subnet associated with the site.