Subdomain in an isolaged network?

Posted on 2013-06-19
Last Modified: 2013-07-02
Greetings Experts,

I have a design question regarding Active Directory and I have not had much luck with Google searches.

My organization currently has all domain controllers on our company wide network.  Environment is 2008 R2.

We have a single, isolated network (facilities network) that contains all of our facilities type door access servers and equipment.  This facilities network does have a DMZ that talks to the general network - typical ASA firewall in-between.

A new door access application we want to implement is AD integrated.  We can integrate with AD and employees who maintain the application can log in with AD credentials.  Problem is setting up a subdomain on the isolated network and finding a way for it to replicate with domain controllers on the general network.

Has anyone had any experience with a configuration like this?  Perhaps a dual-NIC domain controller with encrypted communication through the DMZ?

If anyone can assist and or point me to a good document resource let me know.

Question by:yccdadmins
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Accepted Solution

Mike Kline earned 500 total points
ID: 39260922
Have you thought about an RODC in the DMZ, in your same domain (not a child or sub-domain scenario)

Good white paper with lots of info below:



Expert Comment

by:Ned Ramsay
ID: 39261078
You shouldnt run two NICs on a DC as best practice, although I know plenty that do.
Wouldnt it make more sense to have the security system multi-homed with tight restrictions on the firewall so only the DC can talk to it through the firewall?

Just thinking of an "ease of use" setup.

Expert Comment

ID: 39261606
A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
Administrator Role Separation: You can delegate a local Administrator role to a domain user.
Read-only Domain Controller

An RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

Author Comment

ID: 39266027
Completely forgot about the Read Only DC - thanks guys!  I'm investigating now.  What I need to find out is:

1.  This network segment needs its own domain controller.  I'm looking for what ports I will have to allow through the firewall so the RODC can talk to the DC.

2. Can all communication between this RODC and the DC it communicates with on the outside of the firewall be encrypted?  I'm sure it can but haven't looked for how yet.

3.  In accordance with standards - this private segment of the network should really be a subdomain - to kind of match DNS zones.  The domain is something like and we would be creating  Would I have to create the subdomain on the outside of the private network and then have the read only on the inside?

I'm hoping that someone has done this and has some good info on any gotchas etc.....

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Reconfigure Corporate IP Address Scheme 2 64
CAL for Disabled accounts 4 60
Remote Desktop Terminal License Issue 5 50
Active Directory Replication 1 28
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question