Subdomain in an isolaged network?

Greetings Experts,

I have a design question regarding Active Directory and I have not had much luck with Google searches.

My organization currently has all domain controllers on our company wide network.  Environment is 2008 R2.

We have a single, isolated network (facilities network) that contains all of our facilities type door access servers and equipment.  This facilities network does have a DMZ that talks to the general network - typical ASA firewall in-between.

A new door access application we want to implement is AD integrated.  We can integrate with AD and employees who maintain the application can log in with AD credentials.  Problem is setting up a subdomain on the isolated network and finding a way for it to replicate with domain controllers on the general network.

Has anyone had any experience with a configuration like this?  Perhaps a dual-NIC domain controller with encrypted communication through the DMZ?

If anyone can assist and or point me to a good document resource let me know.

Who is Participating?

Improve company productivity with a Business Account.Sign Up

Mike KlineConnect With a Mentor Commented:
Have you thought about an RODC in the DMZ, in your same domain (not a child or sub-domain scenario)

Good white paper with lots of info below:


Ned RamsayNetwork Operations ManagerCommented:
You shouldnt run two NICs on a DC as best practice, although I know plenty that do.
Wouldnt it make more sense to have the security system multi-homed with tight restrictions on the firewall so only the DC can talk to it through the firewall?

Just thinking of an "ease of use" setup.
A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
Administrator Role Separation: You can delegate a local Administrator role to a domain user.
Read-only Domain Controller

An RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.
yccdadminsAuthor Commented:
Completely forgot about the Read Only DC - thanks guys!  I'm investigating now.  What I need to find out is:

1.  This network segment needs its own domain controller.  I'm looking for what ports I will have to allow through the firewall so the RODC can talk to the DC.

2. Can all communication between this RODC and the DC it communicates with on the outside of the firewall be encrypted?  I'm sure it can but haven't looked for how yet.

3.  In accordance with standards - this private segment of the network should really be a subdomain - to kind of match DNS zones.  The domain is something like and we would be creating  Would I have to create the subdomain on the outside of the private network and then have the read only on the inside?

I'm hoping that someone has done this and has some good info on any gotchas etc.....
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.