When You Need a New Site
Create a new AD site when:
- You have a remote office connected via WAN — not LAN-speed connectivity
- You have a subnet that should authenticate to a local DC rather than one across the wire
- You want to control replication scheduling between locations
- Clients are logging in slowly because they're hitting a DC in the wrong location
A site in AD is a collection of subnets with high-bandwidth connectivity between them. AD uses sites to route clients to the nearest DC and to control replication timing.
Create the Site
# Create a new site New-ADReplicationSite -Name "Branch-Dallas" # Verify it was created Get-ADReplicationSite -Filter * | Select Name, Location
Alternatively in Active Directory Sites and Services (dssite.msc): right-click Sites → New Site → name it → select a site link (DEFAULTIPSITELINK is fine initially).
Add Subnets
Subnets tell AD which IP ranges belong to which site. Clients check their IP against this list to find their site and nearest DC.
# Add subnets to the new site New-ADReplicationSubnet -Name "10.20.0.0/24" -Site "Branch-Dallas" -Location "Dallas, TX" New-ADReplicationSubnet -Name "10.20.1.0/24" -Site "Branch-Dallas" -Location "Dallas, TX" # List all subnets and their assigned sites Get-ADReplicationSubnet -Filter * | Select Name, Site | Format-Table
Configure Site Links
Site links define how sites replicate with each other — the cost and the schedule.
# Create a site link between HQ and Dallas
New-ADReplicationSiteLink -Name "HQ-Dallas" `
-SitesIncluded @("Default-First-Site-Name", "Branch-Dallas") `
-Cost 100 `
-ReplicationFrequencyInMinutes 180
# View existing site links
Get-ADReplicationSiteLink -Filter * | Select Name, Cost, ReplicationFrequencyInMinutes
Cost is relative — lower cost = preferred replication path. The default DEFAULTIPSITELINK uses cost 100. For real-time replication over a reliable link, enable change notification:
# Enable change notification on a site link (near-real-time replication)
Set-ADReplicationSiteLink -Identity "HQ-Dallas" -OtherAttributes @{'options'=1}
Move or Add a DC to the New Site
# Move an existing DC to the new site Move-ADDirectoryServer -Identity DC03 -Site "Branch-Dallas" # Verify Get-ADDomainController -Identity DC03 | Select Name, Site
If you're deploying a new DC in the branch, install it while connected to the branch network — AD will automatically place it in the correct site based on its IP address and the subnet definitions you created.
Verify Client Site Assignment
# On a client in the Dallas subnet — verify correct site assignment nltest /dsgetsite # Expected: Branch-Dallas # Verify client is finding the local DC nltest /dsgetdc:corp.local /site:Branch-Dallas # Check which DC the client is actually using for authentication nltest /sc_query:corp.local
If nltest /dsgetsite shows the wrong site, the client's IP isn't covered by a subnet definition, or the subnet is mapped to the wrong site. Fix the subnet mapping in AD Sites and Services.
GPO Scope for Sites
GPOs are linked to OUs — not to sites. Moving a DC to a new site doesn't change which GPOs apply to it or its clients. However, site-linked GPOs do exist:
In GPMC: right-click Sites → Show Sites → right-click the site → Link an Existing GPO.
Site-linked GPOs apply to all users and computers in that site regardless of OU. Useful for site-specific printers or proxy settings. For everything else, use OU linking — it's easier to manage and troubleshoot with gpresult.