Deep Dive Guide

Active Directory Sites and Services redesign for branch latency and controller placement.

Architecture and cutover plan for reworking sites, subnets, bridgeheads, and referral behavior in a multi-site forest.

Search Deep Dive Topics Back to Deep Dive Index
1. Baseline Site, Subnet, And Referral Reality

Start by proving how clients and controllers behave today.

Site redesign work often fixes a mapping problem that nobody measured. Before changing topology, document which subnets map to which sites and where branch users are actually authenticating now.

Runbook note: If a branch has intermittent WAN quality, validate both steady-state referrals and degraded-path behavior before changing site or subnet definitions.

  • Export existing sites, subnets, site links, bridgehead assumptions, and controller placement for every branch and hub.
  • Capture which controllers branch clients currently discover and whether that aligns with intended latency, jurisdiction, or support boundaries.
  • Review DNS site-aware records, VPN address pools, and SD-WAN ranges that may be missing from subnet definitions.
  • Define success as predictable controller selection, acceptable replication windows, and no unexpected authentication hairpinning.

Command path:

  • Get-ADReplicationSite -Filter *
  • Get-ADReplicationSubnet -Filter *
  • nltest /dsgetsite
  • nltest /dsgetdc:corp.example.com

GUI path: Active Directory Sites and Services > Sites, Subnets, Inter-Site Transports, and NTDS Settings.

2. Redesign Topology Without Breaking Replication

Change one layer at a time: subnets, site links, then controller placement.

The cleanest redesign starts with correcting subnet membership, then adjusting site links and costs, and only then changing where controllers or Global Catalogs live.

  • Create or correct subnet objects first so client-site mapping becomes deterministic before any replication-cost changes are introduced.
  • Adjust site-link costs and schedules to reflect business-critical replication paths instead of historical WAN assumptions.
  • Place Global Catalogs and bridgehead candidates intentionally in sites that need them rather than inheriting them from prior hardware placement.
  • Avoid large simultaneous subnet remaps across many branches unless you have clean telemetry for client referral behavior.

Command path:

  • New-ADReplicationSubnet -Name "10.44.12.0/24" -Site "Branch-East"
  • Set-ADReplicationSiteLink -Identity DEFAULTIPSITELINK -Cost 150 -ReplicationFrequencyInMinutes 30
  • Get-ADDomainController -Filter * | Select HostName,Site,IsGlobalCatalog

GUI path: Active Directory Sites and Services > Subnets for mapping, then Inter-Site Transports > IP for site-link cost and schedule adjustments.

3. Validate Client Discovery And Replication

Measure both who clients choose and how directory changes propagate.

A good redesign produces predictable controller discovery for clients and healthy replication timelines for directory changes. Both need to be tested from branches and hubs.

  • Test client discovery from branch VLANs, VPN address pools, and server subnets that historically selected the wrong site.
  • Create a test object change at the hub and measure how quickly it is visible from remote-site controllers and clients.
  • Confirm SYSVOL, password-change urgency, and DNS registration still meet operational expectations after the topology shift.
  • Review replication queues and event logs before widening the redesign to additional sites.

Command path:

  • repadmin /showrepl * /csv
  • repadmin /kcc *
  • nltest /dsgetsite
  • gpupdate /force

GUI path: Event Viewer, Active Directory Sites and Services, and branch-host command prompts or remote sessions for referral testing.

4. Publish The New Site Standard

Finish with a supportable branch-placement model.

The redesign is complete when subnet onboarding, controller placement, and replication-cost decisions are documented well enough that future network changes do not recreate the same issue.

  • Publish subnet-to-site ownership rules so network teams know when directory updates are required during branch changes.
  • Document which sites must host Global Catalogs, writable controllers, or read-only controllers and why.
  • Add a validation step to every future branch rollout or SD-WAN change so client-site mapping is retested before production users move.
  • Review the topology quarterly rather than waiting for the next authentication incident to expose drift.

Command path:

  • Get-ADReplicationSite -Filter * | Select Name
  • Get-ADReplicationSubnet -Filter * | Select Name,Site

GUI path: Operational runbooks, Active Directory Sites and Services, and network-change procedures updated after implementation.