19th April 2024

What is Active Directory Site Structure?

For Active Directory to transfer data between different locations efficiently, a system that can be modelled according to your physical network is needed.

The Sites feature in Active Directory allows you to organize your network based on your network topology. Sites are used to enable users to automatically access the resources they want to access using a Local Area Network (LAN) instead of accessing a Wide Area Network (WAN). It also ensures that replication between the Domain Controller is best done using the physical layout of your network.

Let’s assume that our structure is huge and there are many network environments. Data may flow between these environments. If we want to create a good Replication environment against such negative conditions, we use the Sites. You must have Enterprise and Domain Admin rights to create a site. If you have a building located in different locations, it is recommended to create a Site. If we still ask why question here;

  • Depending on the speed of the internet, there may be problems with logins.
  • The situation can become complicated for much larger structures.
  • When the user on the Izmir Site goes to Istanbul, he can still try to log in to Izmir. (Slowness or problem logging in)
  • If replication innovations go over the slow line, information may go to the other party too late.
  • If there is an Exchange Server in the structure, it should work simultaneously between the Sites.

What is a Globally Unique Stamp?

It is the stamp information that goes with the object during replication. In this way, it is prevented during collisions during replication. As the explanation is left in the air, let’s take a look at what this stamp contains.

LEARN MORE  What is Fileless Attack? Example Fileless Attack Scenario

Version Number: It starts from 1 and the value increases after each originating update. During the replicated update, the smaller ones with the larger version number are overwritten.
Timestamp: Originating update includes time and day information
Server GUID: Identifies the computer on which the originating update process is performed.

What is Originating Update?

When a user’s password is changed, the update is updated in the directory structure, this is called Originating Update.

What is Replicated Update?

For example, let me have a DC server named DC01 and DC02. Suppose the above change is on DC01 (Originating Update) When my DC01 server starts Replication with DC02, the password update is done on DC02, which is called Replicated Update.

What is Up-to-Dataness Vector?

In order to perform Replication between DCs, vector, which is the combination of DC’s GUID numbers, is used. With the help of Vector, the route of Replication is determined. Up-to-Dataness Vector allows accelerating the detection of the high version number by keeping USN information on DCs.

What is Change Notification? What does it do?

In the same Site, DCs replicate with each other using RPC over IP protocol every 15 seconds. It transmits the change in DC in the structure to other DCs in the environment. The transmitted DCs send these changes to me and the Replication process is started. The situation is shown in more detail below.

What is Change Notification? What does it do?
What is Change Notification? What does it do?


What are Site Link, Site Link Bridge and Cost?

Site Link: It represents the links between the sites and they are the objects that enable replication.
Cost: It is the value that determines which way to use among the sites. The path with a small cost value is used.
Site Link Bridge: It is logically the same as Site Link, and its job connects Sitelink to each other. This option is generally used for linking if the site cannot access each other with links.

LEARN MORE  Capturing the Domain with PASS THE HASH Attack

What exactly is the site?

The site is networks that are connected to each other at high speed through network devices. This means that a site comes up with a combination of multiple subnets. Just like a subnet defines part of your network, a site defines a part of your network.

Replication Between Different Sites

Since internet speed and bandwidth may be low in replication between sites, compression is performed in data transfer. Since the compressed data will be opened and transferred to the Domain Controle(DC) on the target side, the process can be extended and thanks to compression, approximately 10% to 15% gain is achieved. In Replication between Sites, it happens through Bridgehead Server in each Site.

What is Urgent Replication?

It is a replication type that is valid in emergency situations. If there is a change in security-related object characteristics, the replication period occurs without waiting. Other sites are not informed instantly. Information goes away at the end of the relevant Replication period. Replication is triggered immediately if:

  • Account Lockout Policy.
  • Domain Password Policy.
  • Local Security Authority.
  • DC computer account change.
  • It is triggered in situations such as a change of RID Master Owner.

Example site structure

Imagine that Ankara and Istanbul have two networked offices. The Domain Controller in these two offices will take the changes from the domain (Replication). Considering that the office in Bursa is connected to the Ankara office via a network, the domain controller located in the Bursa office will receive the changes from the domain controller in the Ankara office. In this case, the Domain Controller in Bursa will not receive the changes from its domain from the Istanbul Domain Controller. The changes made in the Bursa domain will first replicate the domain controls in Ankara and then replicate from the domain controller in Ankara to the domain controls in Bursa. A structure can be easily set up this way by using sites in Active Directory.

LEARN MORE  What is Forensic Informatics? What are Forensic Information Methods?
Active Directory Site
Active Directory Site


Leave a Reply

Your email address will not be published. Required fields are marked *