IT Operations & Cybersecurity Encyclopedia
Active Directory Sites and Services configuration guide
Active Directory Sites and Services controls how domain controllers, clients, subnets, and replication topology map to real network locations. A clean configuration improves logon performance, domain controller selection, Group Policy processing, DNS behavior, replication efficiency, and troubleshooting clarity.
Why it matters
Make AD topology match the real network
Sites and Services is often neglected after the first domain build. As offices move, VPNs change, cloud networks expand, and WAN links are replaced, AD topology can become stale. Incorrect subnets can make clients authenticate to distant domain controllers, apply Group Policy slowly, or use the wrong services.
A professional review maps every major subnet and location to the correct AD site, validates site links and replication schedules, confirms domain controller and global catalog placement, and documents how DNS, DHCP, VPN, Azure, branch offices, and remote sites interact with identity services.
Practical rule: Do not leave AD subnets unmapped or site links undocumented. Every production subnet should have a known site, business location, network owner, and replication expectation.
Review scope
What a Sites and Services review should cover
Subnet mapping
Confirm every production, VPN, wireless, server, branch, and cloud subnet maps to the correct AD site.
Site link design
Review site links, costs, schedules, replication intervals, bridge settings, and network path assumptions.
Domain controller placement
Validate DC, DNS, and global catalog placement based on user count, applications, WAN reliability, and recovery needs.
Client behavior
Check whether clients authenticate to local domain controllers and apply policies without unnecessary WAN dependency.
Replication health
Review replication status, event logs, DNS health, stale partners, failed links, and monitoring coverage.
Documentation
Preserve topology exports, diagrams, owner decisions, remediation tickets, and next review dates.
Review matrix
Sites and Services configuration decision matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| New office or branch | A new physical location has users, servers, or network equipment. | Create site/subnet mapping if local authentication, policy, or replication behavior requires it. | Which DC should clients use? |
| VPN subnet | Remote users connect through a VPN pool. | Map the subnet intentionally to the best site for authentication and support expectations. | Are VPN users reaching the right domain controllers? |
| Cloud network | Azure, AWS, or another cloud network hosts domain-joined workloads. | Create site mapping, review latency, DNS, replication, firewall rules, and DC placement. | Should cloud workloads use cloud-based DCs? |
| Slow logon or GPO | Users report slow sign-in, policy processing, or drive mappings. | Check subnet mapping, DNS, DC selection, WAN latency, and site link design. | Is the client using a distant domain controller? |
| Replication failure | Domain controllers fail to replicate across sites. | Review site links, schedules, costs, firewall/RPC, DNS, and network path changes. | Is the topology wrong or the network broken? |
Step-by-step review
Sites and Services review runbook
Export current topology
Collect AD sites, subnets, site links, costs, schedules, replication intervals, DC placement, and global catalog placement.
Compare with network inventory
Match AD subnets against DHCP scopes, VPN pools, wireless networks, branch offices, server VLANs, and cloud networks.
Validate client and DC behavior
Check client site detection, domain controller selection, DNS registration, Group Policy processing, and logon experience.
Review replication design
Confirm site links, costs, schedules, latency assumptions, bridge behavior, replication failures, and monitoring alerts.
Plan safe updates
Update subnets and site links through change control, validate after changes, and watch authentication and replication.
Save evidence and owners
Record topology exports, diagrams, tickets, owner approvals, before/after tests, and the next review date.
Common risks
Common Sites and Services mistakes
Unmapped subnets
Clients without subnet mapping may choose inefficient domain controllers.
Old branch sites
Closed offices and retired networks can leave stale topology and confusing replication paths.
VPN pools ignored
Remote users may authenticate inefficiently if VPN subnets are not mapped intentionally.
Cloud networks missing
Domain-joined cloud workloads need site, DNS, replication, and firewall planning.
Site link costs guessed
Costs and schedules should reflect real network paths and operational requirements.
No monitoring
Replication and DC selection problems need alerts, owners, and evidence.
Related support
Where IT Perfection can help
IT Perfection can help configure and maintain AD Sites and Services through managed IT, network infrastructure support, Microsoft server administration, DNS review, monitoring, and documentation.
For identity risk, ransomware readiness, audit concerns, and network security dependencies, OC Security Audit can validate directory controls through cybersecurity audit and risk assessment services.
Created by Ali Hassani, CISO
AD topology perspective from Ali Hassani
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
Directory topology should reflect real network design
Ali Hassani, CISO and IT infrastructure consultant, has 25+ years of experience across Active Directory, DNS, network infrastructure, Microsoft server administration, cybersecurity auditing, disaster recovery, and managed IT. Sites and Services should be reviewed whenever network topology changes.
FAQ
Active Directory Sites and Services FAQ
What does Active Directory Sites and Services control?
It maps domain controllers, sites, subnets, and replication paths so clients and DCs use appropriate topology.
Why do AD subnets matter?
Subnets help clients locate the right site and domain controller, which affects logon, policy, and service behavior.
Should VPN subnets be mapped?
Yes. VPN pools should be mapped intentionally so remote users reach appropriate domain controllers.
What evidence should be kept?
Save site and subnet exports, site link settings, network diagrams, replication checks, tickets, and before/after validation.
Can IT Perfection help with Sites and Services cleanup?
Yes. IT Perfection can help review topology, map subnets, troubleshoot logon or replication issues, and maintain documentation.