Active DirectoryMicrosoft Technologies

Why active directory sites and subnets?

In any sort of SUCCESFUL NETWORK, there is mainly two topologies. One is called as physical topology which represents the structure of the network including such as network topologies, hardware placements, IP address allocations. The other one is the logical topology which represents the security boundaries of the network, network services etc. In active directory based infrastructure setup, “Domain” represents the logical topology while “Sites and Subnets” represents the physical topology.

Site simply we can define as a physical location or network. It can be either in separate building, separate city or even in separate country. As an example, Contoso Ltd. has its head office located in London, UK. It is have its domain controller and rest of servers, equipment running. It uses Ip address allocation for the network with subnet 192.168.148.0/24. With the business requirements company opens a branch office in Toronto, Canada. Even its located in different physical location, it’s under main contoso.com domain. It does running a separate network with ip address allocation of 10.10.10.0/24. To make the company operations smooth and productive it is important to keep the network as one even its in two geographical locations. Company spent large amount of money to connect two offices with 256kb link. As we know in active directory environment replication is crucial. Whatever changes happens in one domain controller should replicates to others. But in here in this setup if we just setup network by allowing direct replication between HQ and branch office domain controllers it will be slow and majority of link bandwidth will use for the replication traffic and other DC service related traffic. Also let’s assume users in branch office are accessing some files from a DFS file share. If it’s via the slow 256kb link it will be bottleneck for the company operations due to time and reliability. Answer for all these concerns is use of sites, subnets, site links. Sites helps to localize the services. So when sites are setup when users authenticate DC or try to access file in DFS share it will immediately direct users in to local domain controllers, DFS servers in same site. Also we can optimize the links between sites and decide how much of traffic should allocate, when replications should happens etc. isn’t it beauty?

sites

In sites setup subnets represents the IP address allocations. But it’s not exactly means all address behind router in a sites. It can be IPv4 or IPv6. Based on subnets sites decides its physical boundaries of the network.

Sites and Domain setup mainly can divide in to two types.

Single site with multiple domains – in here one site can be hosting multiple domains. For example Contoso Ltd. London Site may using contoso.com and also xyz.net domains.

Single domain with multiple sites – in here one domain will have multiple sites. So its exactly same as my previous example. Contoso Ltd. have two sites in London UK and Toronto Canada. But these all are under same contoso.com domain.

Benefits of Sites and Services

There are mainly three benefits we can identify.

Replication – In typical AD DS setup all domain controllers are set to replicate changes between each other assuming all are connected via fast network links. But in real world it’s not. With use of sites and site links we can optimize the replications between domain controllers to get the best benefits out from slow links.

Service Location – In active directory setup there are other services integrated which helps on company operations. For example DFS, Active directory certificate services, mail services. Using sites and subnet setup we can point users to nearest server for the services. So users in Site B severed by DFS server in Site B when they try to access a file instead of passing the request to Site A. 

Authentication – when user logs in to domain it simply communicate with the domain controller for the authentication. But let’s assume 100 users in Site B is trying to log in to their computers in morning. In order communicate with domain controller in Site A it will take lot of bandwidth from the slow link between the sites and also large amount of time. But with correct server placement and site setup we can point all the users in site B to communicate with site B domain controller.

In this article I have explain the use of sites, subnets and site links and in next article lets look in to configurations. If you have any questions about the post feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

9 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *