Active Directory sites must be associated with user subnets. Your first task after installing a new Active Directory site is to ensure you define the user subnets and then associate the user subnets with the Active Directory site. If you fail to associate user subnets with Active Directory sites, Active Directory clients such as Windows client computers and Active Directory applications may choose a remote domain controller for authentication, which, in turn, may cause unnecessary Active Directory authentication traffic. You would always want to make sure that the Active Directory clients select a local domain controller for authentication.
In a large Active Directory environment, you might have several teams responsible for managing Active Directory environment. For example, you might have an IT team that is responsible for managing users, computers, subnets, and logical Active Directory sites for a particular location in Dallas. Similarly, you might have a team that is responsible for managing Active Directory objects in a user location located in Denver. While IT teams might follow a procedure that explains the necessary steps to create a site defining user subnets and associating user subnets with AD sites, it is necessary to run a check every month to ensure user subnets are associated with AD sites correctly. This is where this article comes handy. The article provides a simple PowerShell script that you can use to collect a list of empty Active Directory sites that are not associated with any user subnets.
Requirements for collecting empty Active Directory sites
Before you can run the script, please make sure to run the script from a Windows Server 2012 R2 member server or domain controller that has Active Directory PowerShell modules installed. Make sure to create a folder by name “C:\Temp” on the computer from which you will run the script and a change the “$CurForestName” variable to the Active Directory forest against which you want to execute the script. Once you have met the above requirements, copy the below script in a PS1 file and execute it from an elevated PowerShell window.
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString=”No Subnets in Active Directory Site, Site Location, Final Status”
Add-Content “$TestCSVFile” $ThisString
$a = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext(“Forest”, $CurForestName)
IF ($Error.count -eq 0)
ForEach ($Site in $ADSites)
$SiteName = $Site.Name
$SiteLocation = $Site.Location
[array] $SiteSubnets = $Site.Subnets
$ThisStr=$SiteName+”,”+'”‘+$SiteLocation+'”‘+”, This AD Site does not have a subnet associated with it.”
Add-Content “$TestCSVFile” $ThisStr
IF ($ErrorOrNot -eq “Yes”)
$TestText = “Please check to make sure a Domain Controller is reachable to execute AD Test.”
$SumVal = “”
$TestStatus=”Error executing AD Test.”
IF ($TotNo -eq 0)
$TestText = “All AD Sites have at least one Subnet Associated.”
$SumVal = $TotNo
$TestText=”Some AD Sites do not have Subnets associated. It is highly recommended to associate required user/application subnets with AD Sites. If subnets are not associated with AD Sites users in the AD Sites might choose a remote domain controller for authentication which in turn might result in excessive use of a remote domain controller.”
$STR = $ADTestName +”,”+$TestStartTime+”,”+$TestStatus+”,”+$SumVal +”,”+$TestText
Once you have finished executing the script, a report will be generated that will contain only the name of empty Active Directory sites that do not have a user subnet associated with it. This is also shown in the screenshot below.
The PowerShell script checks all Active Directory sites in the Active Directory forest specified in the “$CurForestName” variable and then checks the value of $SiteSubnets variable. If the $SiteSubnets variable is $NULL or does not contain any value, that particular site does not have any user subnets associated with it. As you can see in the output above, the script found five empty Active Directory sites (SiteA, SiteB, SiteC, SiteD, and SiteE) that do not have any user subnets associated with it. The script also provides the Site Location so it is easier for you to contact the team that is responsible for managing that particular user location.
This script is part of PowerShell-based Dynamic Packs that ships with the Active Directory Health Profiler, which you can use to perform a complete health check of an Active Directory forest. There are 99 health checks included in the AD Health Profiler.
By using the PowerShell script provided in this article, you can collect a list of empty Active Directory sites that are not associated with any user subnets. You can include this script in your daily Active Directory health procedure and have it run every month to ensure the Active Directory Forest does not contain any AD sites without user subnets.