Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Subdomain in an isolaged network?

Posted on 2013-06-19
Medium Priority
Last Modified: 2013-07-02
Greetings Experts,

I have a design question regarding Active Directory and I have not had much luck with Google searches.

My organization currently has all domain controllers on our company wide network.  Environment is 2008 R2.

We have a single, isolated network (facilities network) that contains all of our facilities type door access servers and equipment.  This facilities network does have a DMZ that talks to the general network - typical ASA firewall in-between.

A new door access application we want to implement is AD integrated.  We can integrate with AD and employees who maintain the application can log in with AD credentials.  Problem is setting up a subdomain on the isolated network and finding a way for it to replicate with domain controllers on the general network.

Has anyone had any experience with a configuration like this?  Perhaps a dual-NIC domain controller with encrypted communication through the DMZ?

If anyone can assist and or point me to a good document resource let me know.

Question by:yccdadmins
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 39260922
Have you thought about an RODC in the DMZ, in your same domain (not a child or sub-domain scenario)

Good white paper with lots of info below:



Expert Comment

by:Ned Ramsay
ID: 39261078
You shouldnt run two NICs on a DC as best practice, although I know plenty that do.
Wouldnt it make more sense to have the security system multi-homed with tight restrictions on the firewall so only the DC can talk to it through the firewall?

Just thinking of an "ease of use" setup.

Expert Comment

ID: 39261606
A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
Administrator Role Separation: You can delegate a local Administrator role to a domain user.
Read-only Domain Controller

An RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

Author Comment

ID: 39266027
Completely forgot about the Read Only DC - thanks guys!  I'm investigating now.  What I need to find out is:

1.  This network segment needs its own domain controller.  I'm looking for what ports I will have to allow through the firewall so the RODC can talk to the DC.

2. Can all communication between this RODC and the DC it communicates with on the outside of the firewall be encrypted?  I'm sure it can but haven't looked for how yet.

3.  In accordance with standards - this private segment of the network should really be a subdomain - to kind of match DNS zones.  The domain is something like and we would be creating  Would I have to create the subdomain on the outside of the private network and then have the read only on the inside?

I'm hoping that someone has done this and has some good info on any gotchas etc.....

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question