How to Manage Active Directory Sites with PowerShell

Published:18 May 2021 - 5 min. read

Anthony Metcalf Image

Anthony Metcalf

Read more tutorials by Anthony Metcalf!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Your Job!
Your Company!

$50,000 - $100,000

Get Started Today!
LinkedIn

As an administrator of Active Directory (AD), you’re probably managing users, computers, and organizational units (OUs) most of the time. Less frequently, you will need to manage Active Directory sites. But when you need to use the command line or automate AD site creation, PowerShell is a must.

Not a reader? Watch this related video tutorial!
Not seeing the video? Make sure your ad blocker is disabled.

In this tutorial, you will learn how to manage AD sites using PowerShell, so you never have to open a Windows MMC ever again!

Prerequisites

This tutorial will have various demos. To follow along, be sure you have the following:

  • Windows PowerShell v5.1 or greater – This tutorial will PowerShell 5.1.

Related:Upgrading to PowerShell 7: A

  • An AD domain – The examples will use a Windows Server 2019 domain controller (DC), but the commands will work for any version.
  • A domain-joined Windows 10 machine logged in as an AD user part of the Enterprise Admins group.
  • Remote Server Administration Tools (RSAT) installed on the AD-joined computer.

Let’s kick off this tutorial by first getting a lay of the land and inspecting what AD sites your environment has to work with.

Assuming you’re on a domain-joined Windows PC with the ActiveDirectory PowerShell module installed, open PowerShell to get started.

Active Directory Sites

1. Run the Get-AdReplicationSite cmdlet with no parameters. PowerShell will return the Active Directory site the computer you’re running the command from is in. In the screenshot below, the computer running Get-ADReplicationSite is in the Washington site.

To find all of the PowerShell commands to work with AD sites, run Get-Command "*ADReplication*".

Get-ADReplicationSite with no parameters only gives the current site.
Get-ADReplicationSite with no parameters only gives the current site.

2. To find all Active Directory sites for the entire domain, run Get-AdReplicationSite using the Filter parameter and an asterisk (*).

The Filter parameter allows you to filter sites in many different ways. For more information on how to build queries for the Filter parameter, run the command Get-Help about_ActiveDirectory_Filter.

Related:Learning Active Directory and LDAP Filters in PowerShell

Show all sites with the "-Filter *" parameter.
Show all sites with the “-Filter *” parameter.

To find AD site links, the process is nearly identical to finding sites; just invoke the Get-ADReplicationSiteLink command instead. But, unlike the Get-ADReplicationSite command, the Get-ADReplicationSiteLink command requires you to specify the Filter parameter.

You can see below the tutorial environment has a single link called Washington-MarylandLink linking the Maryland and Washington sites.

Get the Inter-Site link details.
Get the Inter-Site link details.

Active Directory Subnets

Finally, you can find the subnets with the Get-ADReplicationSubnet command, the same as inspecting Active Directory sites and links.

Get Subnet details.
Get Subnet details.

Creating Active Directory Sites

Now that you know how to view existing AD sites, let’s jump into a demo on creating new sites with PowerShell. An AD site consists of three components, all of which you can create with PowerShell:

  • The site
  • One or more subnets in the site
  • A replication link

To set up a new AD site assuming you still have PowerShell open:

1. Create the new AD site using the New-ADReplicationSite command and providing the Name. The command below creates a site named Hawaii. 

New-ADReplicationSite -Name "Hawaii"

2. Confirm you’ve created the site by running Get-ADReplicationSite using the Filter parameter to find all sites.

To limit output, the example below is piping output from Get-AdReplicationSite to the Select-Object cmdlet to only display the Name property. 

Get-AdReplicationSite Filter * | Select Name

You can see below; the tutorial environment has three sites available; Washington, Maryland, and Hawaii.

Add a new Site in PowerShell.
Add a new Site in PowerShell.

3. Next, create a subnet and assign it to the site with the New-ADReplicationSubnet command providing the Name/network in CIDR notation followed by the Site name. The below command is creating a subnet for the 10.3.22.0/24 network attached to the Hawaii site. 

New-ADReplicationSubnet -Name "10.3.22.0/24" -Site Hawaii

After you’ve created the site, run Get-ADReplicationSubnet to confirm you’ve created the subnet as expected. Notice that the site shows as Hawaii.

Add a new Subnet to AD Sites.
Add a new Subnet to AD Sites.

4. Finally, create a new site link with the New-ADReplicationSiteLink command specifying the name of the link and the sites to link together. The below example is creating a site link called Washington-Hawaii linking the Washington and Hawaii sites together.

The site link name is completely customizable, but it’s common to include the sites included in the site link in the name. 

New-ADReplicationSiteLink -Name "Washington-Hawaii" -SitesIncluded Washington,Hawaii

Once created, run the Get-ADReplicationSiteLink to confirm you’ve created the link as expected.

Adding the replication link between sites.
Adding the replication link between sites.

To add sites to an existing Active Directory site link, invoke the Set-ADReplicationSiteLink command a PowerShell hashtable and an Add key like Set-ADReplicationSiteLink -Identity "Washington-MarylandLink" -SitesIncluded @{Add="Hawaii"}.

Even though this tutorial is about PowerShell, it’s still important to understand how to inspect and manage AD sites via the GUI. You probably won’t be using PowerShell all of the time to manage AD sites.

Click on Start and type Active Directory Sites. The Active Directory Sites and Services open should appear in the Windows Administrative Tools program group.

Opening Active Directory Sites and Services.
Opening Active Directory Sites and Services.

When you open Active Directory Sites and Services, you will see a screen like the one shown below. The AD Sites and Services tool has a few interesting areas:

  1. The DC the tool is currently connected to. Knowing the DC is helpful because it may take multiple hours to replicate between sites when you make a change.
  2. Inter-Site Transports – The protocols that the sites will use for replication.
  3. Subnets – The subnets that are assigned to each site.
  4. The list of sites – In a default domain, you will only see Default-First-Site-Name here, but the tutorial environment has a Maryland and Washington site created.
Active Directory Sites and Services
Active Directory Sites and Services

If you expand the items in AD Sites and Services, you’ll see:

  1. An IP transport – The tutorial transport or site link is called Washington-MaryandLink.
  2. Subnets – The tutorial has two subnets of 10.1.22.0/24 for the Washington site and 10.2.22.0/24 for the Maryland site.
  3. The domain controller assigned to the Maryland site.
  4. The domain controller assigned to the Washington site.
Fully expanded Sites and Services tool for the examples in the article.
Fully expanded Sites and Services tool for the examples in the article.

Removing Active Directory Sites

So you’ve got some sites created but it’s time to decommission then. No problem. Removing an Active Directory site is simply a reversal of this process.

Before you remove a site, be sure that no client machines are using the site’s subnets any longer. Check out the netlogon.log file for information on how to discover clients in sites.

To remove an AD site with PowerShell:

1. First, remove the site link with the Set-ADReplicationSiteLink command using the Remove key in the hashtable passed to the SitesIncluded parameter and verify the removal. The below example removes the Maryland site from the Washington-MarylandLink site. 

Set-ADReplicationSiteLink -Identity "Washington-MarylandLink" -SitesIncluded @{Remove="MaryLand"}
 Get-ADReplicationSiteLink -Filter *

Notice that now both site links connect the same two sites (the SitesIncluded property).

Using Set-ADReplicationSiteLink to remove a site from a link.
Using Set-ADReplicationSiteLink to remove a site from a link.

2. Remove the Washington-Maryland link entirely with the Remove-ADReplicationSiteLink command and verify the link is removed. 

Remove-ADReplicationSiteLink -Identity "Washington-MarylandLink"
 hit y at the prompt
 Get-ADReplicationSiteLink
Removing the Active Directory site link
Removing the Active Directory site link

3. Now, remove the links that were part of the site with the Remove-ADReplicationSubnet command and verify the removal. 

Remove-ADReplicationSubnet -Identity "10.2.22.0/24"
 Get-ADReplicationSubnet -Filter *
Removing the Active Directory Subnet associated with the Maryland site.
Removing the Active Directory Subnet associated with the Maryland site.

Finally, remove the site itself with the Remove-ADReplicationSite command and verify removal. 

Remove-ADReplicationSite -Identity "Maryland"
 Get-ADReplicationSite -Filter *
Removing the Active Directory site
Removing the Active Directory site

Conclusion

In this tutorial, you’ve learned the basics of manage Active Directory sites with PowerShell. But, there’s still a lot you can do with AD sites and PowerShell.

Now that you have created your first Active Directory Sites, why not extend this in your home lab? Create some sites on different subnets and see how the replication time impacts Active Directory changes such as password resets and group policy updates.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

More from ATA Learning & Partners

Looks like you're offline!