Create Site using Active Directory

In the context of Microsoft's Active Directory (AD), a "Site" does not precisely equate to an Internet Protocol (IP) subnet, although there is an interplay between the two concepts. Active Directory "Sites" are logical entities used in the service to delineate network infrastructure for the purposes of administration and replication. Sites are a representation of the physical structure of your network and can be composed of one or more IP subnets. An Active Directory Site is usually composed of networks that are well-connected in terms of speed and reliability. They generally comprise of LAN segments rather than slower WAN links. When you establish multiple sites, Active Directory can optimize network traffic, ensuring that resources are used most effectively and providing a more efficient replication mechanism.
While a site could technically be constructed of one subnet, it's not necessary to do so; you can have multiple subnets within one site. The key here is that communication within a site should be high-speed and reliable, often reflecting a geographical location or a specific part of your organizational infrastructure. Therefore, you are correct in stating that a site could contain two or more subnets connected by a high-bandwidth link, but it's important to understand that the concept of an Active Directory Site is not strictly tied to the notion of a subnet. It's a higher-level, more flexible construct designed to help structure and optimize network communication within the constraints of your physical infrastructure.

In Active Directory, a 'Site' is defined as a set of IP subnets that have high-speed and reliable network connections among them. A Site can consist of one or more IP subnets, but it is not limited to one subnet, and it does not equate directly to a subnet. It is designed to facilitate efficient traffic flow and replication among different parts of an organization's network infrastructure. The configuration of 'Sites' in Active Directory is primarily used to control replication traffic, authenticate users to the nearest domain controller, and facilitate resource localization in larger network environments. It allows administrators to align Active Directory with the physical topology of their network for optimization and performance enhancement. So, while 'Sites' and subnets are related concepts in Active Directory and network architecture, a 'Site' is not an IP subnet. It's a higher-level construct designed to encompass one or more subnets to optimize network performance and manageability. Sites are used to control network traffic related to logon authentication and Active Directory replication.

As an administrator, you may need to create multiple sites if your network is large and geographically dispersed. Creating sites isn't something that is done frequently, or at all with smaller networks. With a large network, sites are created when you initially set up the Win2000 network. If you added a new branch office in a new location you might create more sites.

Creating a site involves providing a name for the new site and associating the site with a site link. You must either log on as a member of the Enterprise Admins group to create sites or use the Secondary Logon Service to start Active Directory Sites and Services in the security context of a member of the Enterprise Admins group. Once in Sites and Services, you must complete these steps:

1. Open Active Directory Sites and Services from the Administrative Tools menu.
2. In the console tree of Active Directory Sites and Services, right-click Sites, and then click New Site.
3. In the Create New Object - (Site) dialog box, type a site name in the Name box.
4. Click a site link, and then click OK. (Select the default site link if it is the only link available.)

The "Enterprise Admins" group still exists in modern Windows Server environments as a built-in security group within Active Directory Domain Services (AD DS). While Windows 2000 is no longer supported, the concept and functionality of the Enterprise Admins group have carried forward. In AD DS, the Enterprise Admins group retains its high level of privilege and control. Members of this group have full administrative access to all domains within the forest. This includes the ability to manage domain controllers, modify group memberships, and perform other critical administrative tasks across the entire Active Directory infrastructure.
It's important to note that due to its extensive permissions, membership in the Enterprise Admins group should be tightly controlled and limited to trusted administrators. Assigning excessive permissions can increase the risk of unauthorized access and security breaches. Microsoft's official documentation on Active Directory security groups provides more details on the Enterprise Admins group and its role in managing Active Directory forests:

• Active Directory Groups: Active Directory supports three group scopes: domain local, domain global, and universal. Groups in each of these scopes behave slightly differently based on the domain and forest functional levels. To complicate matters further, each group scope can have two types: distribution and security. The type is the easiest piece to define. If the type is distribution, the group’s SID is not added to a user’s security token during logon, so it cannot be used for Windows security purposes. Distribution groups are generally used as a messaging list (a set of users that you can mail or send instant messages to all at once), though it is possible to use them for security groups for LDAP-based applications or for other applications that don’t use the standard Windows security model. Microsoft Exchange represents distribution lists with Active Directory distribution groups. Security groups, by contrast, are enumerated during logon, and the SIDs of any groups of which the user is a member are added to the user's security token. Security groups can also be leveraged by Exchange as distribution lists.
  All Windows editions that support Kerberos will encounter problems if security principals are members of too many groups. The issue is that the token of the security principal becomes too large for Windows to handle, and users may experience authentication or other Kerberos issues. This phenomenon is often referred to as token bloat. For more information on token size issues, reference this link. The three different scopes of mailing lists and security groups result from the legacy of Windows NT and the introduction of the GC. Global groups and domain local groups are the direct descendants of Windows NT groups; the membership of these groups is only available from domain controllers of the domains in which they are created. Universal group membership is available both from the domain controllers of the domains in which they are created in and from all Global Catalogs in the forest. Universal and global groups can be used in access control lists (ACLs) on any resource in the forest or in trusting domains. Domain local groups can only be used in ACLs in the domain in which they are created.

Here's how you can create an Active Directory (AD) site in Windows Server 2022:
Prerequisites:

1. Active Directory Domain Services (AD DS): Ensure AD DS is installed and configured on your Windows Server 2022.
2. DNS: A functioning Domain Name System (DNS) server is required for AD site resolution.

Steps:

1. Open Active Directory Sites and Services:
   • Press the Windows key and search for "Active Directory Sites and Services".
   • Open the application.
2. Create a New Site:
   • Right-click on the "Sites" container in the left pane.
   • Select "New Site".
   • Enter a descriptive name for your site (e.g., "NewYorkOffice").
3. Link to a Site Link:
   • In the "New Object - Site" dialog, click the "SITE_LINK_NAME" drop-down menu.
   • Select an existing site link, or create a new one if needed (right-click "Inter-Site Transports", then "New Site Link").
4. Assign a Subnet:
   • Expand your newly created site and right-click on "Subnets".
   • Select "New Subnet".
   • Enter the network address and subnet mask in CIDR notation (e.g., 192.168.1.0/24).
   • Select the newly created site from the "Site object" drop-down menu.
   
   
5. Configure Site Link Properties (Optional):
   • Right-click on the site link you've used and select "Properties".
   • Here, you can customize settings like cost, replication schedule, and transport type (IP or SMTP).
6. Verify Replication:
   • After creating the site and subnet, allow some time for AD replication to occur.
   • You can verify successful replication by checking the event logs or using the `repadmin` command-line tool.

Key Concepts:

• Active Directory Site: A logical representation of a network location, typically defined by a collection of IP subnets.
• Site Link: A connection between two or more sites, used for replication and authentication traffic.
• Subnet: A division of an IP network, assigned to a specific site for replication purposes.

In the next lesson, you will create a subnet.