Multiple Active Directory Domains using firewall - SBS enviroment

I have inherited a network that is using SBS 2011 as the domain controller.  We have several member servers on this domain.  I have a new application coming in that will require 2 new servers that have to be domain joined (not workgroup servers).  However, the intent is to make these servers as independent as possible as this part of our company might break off into its own independent company in the near future.  I have a Watchguard XTM515 firewall.   My plan is to connect these 2 new servers on a new IP subnet to a port on this firewall.  I will block all communication from all of my domain servers (on my primary domain to this new port/subnet).  That way I can setup a new Active Directory domain on this subnet that won't be seen by the SBS 2011 domain controller.  The few devices on my current primary subnet that will need access to the new servers will only do so by remote desktop connection (via ip address since there will be no DNS resolution available to this subnet).  

Does this setup plan make sense?  Are there any flaws or issues that I am overlooking before I start this process?
Lew NixAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
That should work fine. You don't have to go to the lengths of setting up a new subnet and putting a firewall between them. As long as the new servers don't run DHCP, you can have a separate AD forest on the same subnet.

But I think your idea of putting them on their own subnet will make it easier if you do eventually break off that portion to a new company.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lew NixAuthor Commented:
Thank you for the quick response.  I had determined through research that I could have 2 AD forests on the same subnet.  The big issue that I am concerned about is that the primary AD domain controller is an SBS server.  There is a lot of Microsoft documentation regarding SBS servers not being able to coexist with a different AD domain on the same network.  Not sure if this is more of a warning or if it will actually cause issues on the SBS domain.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
The issue with SBS is that it can only be in a single domain forest with no trusts. So there would be no issues having a separate forest on the same subnet.
Lew NixAuthor Commented:
Perfect.  So, I can go ahead with the separate subnet use to ease in the eventually company split.  But, I don't need to worry about blocking through firewall which will make my life much easier.

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.