All of the user subnets created in the Active Directory must be associated with the Active Directory sites properly. Incorrect assignment of user subnets to Active Directory sites may result in slow logons, which, in turn, might increase calls to the helpdesk. Correct assignment of user subnets to Active Directory sites is required to ensure users and Active Directory applications can find a nearest domain controller for authentication. You may wish to retrieve a list of user subnets associated per Active Directory site when you are troubleshooting a particular user location in which users are contacting a remote domain controller for authentication. From time to time, you may want to retrieve a list of user subnets associated per Active Directory site to ensure user subnets are not associated with a remote Active Directory site. In this article, we will provide a PowerShell script that can help you collect Active Directory sites and user subnets associated with it.
Before you can run the script, please make sure to meet the requirements mentioned below:
- Ensure you are running the script from a Windows Server 2012 R2 member server or domain controller.
- Note that the PowerShell script below uses Get-ADReplicationSubnet PowerShell cmdlet, which is capable of collecting subnets and Active Directory site association information. Please make sure you have Active Directory PowerShell modules installed on the machine from which you will be running the script.
- Make sure to create a folder named “C:\Temp” on the computer from where you will run the script.
Once you have met above requirements, copy the script below in a PS1 file and execute it from an elevated PowerShell window.
What does the script do?
The PowerShell script performs functions as listed below:
- Executes Get-ADReplicationSubnet PowerShell cmdlet and collects all Active Directory site and user subnets associated with each Active Directory site.
- Provides a report of user subnets with each Active Directory site and helps you identify incorrect associations.
- Generates a report named ADSubnetsPerSite.CSV, which is stored under “C:\Temp” folder.
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString="AD Subnet, Location, Associated with AD Site"
Add-Content "$TestCSVFile" $ThisString
ForEach ($all in $Items)
$FinalText = "AD Subnets list was retrieved. Please load result to see values."
IF ($Error.count -eq 0)
IF ($ErrorOrNot -eq "Yes")
$TestText = "Please check to make sure a Domain Controller is reachable to execute AD Test."
$SumVal = ""
$TestStatus="Error executing AD Test."
$TestText = $FinalText
ForEach ($ThisItem in $Items)
Add-Content "$TestCSVFile" $FinalVal
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText
Tip: Note that the script connects to the Active Directory forest to which the current machine is joined. When running the PowerShell script, make sure to execute it from an elevated PowerShell command prompt and that the currently logged on user has sufficient permissions to connect to the Active Directory forest.
Once you have finished executing the script, a report will be generated which contains the Active Directory subnet, Active Director site location, and the Active Directory site to which the subnet is associated as shown in the screenshot below:
As you can see in the report above, the script collected each subnet address, Active Directory site location and the Active Directory site to which the subnet is associated. Since an Active Directory site can have multiple subnets associated with it, the script collected each subnet associated with each Active Directory site. As you can see, “Site-Seattle” Active Directory site has a total of three subnets associated with it and “Site-Dublin” Active Directory site is assigned with two user subnets. This information is quite useful for you to know which user subnet is associated with which Active Directory site. If you find an incorrect association, you can modify the configuration by using Active Directory Sites and Services snap-in.
This script is part of PowerShell-based Dynamic Packs that ship with the Active Directory Health Profiler, which you can use to perform a complete health check of an Active Directory forest. There are 99 health checks included in the AD Health Profiler.
By using the PowerShell script explained in this article, you can collect a list of user subnets associated with each Active Directory site. The report file generated by the script can help you identify any incorrect associations. You may want to include the script in your Active Directory health procedure and have it run every month to ensure user subnets are assigned to the Active Directory sites correctly.
Photo credit: Shutterstock