Link to home
Start Free TrialLog in
Avatar of wannabecraig
wannabecraigFlag for Ireland

asked on

Do I need to split my Domain from Office and Production

We're in a 24x7 PCI business.  It evolved from a small 10 user organisation with a small customer base to over 100k customers and 100 staff.  Currently we use the same Domain for out business facing servers and our office servers. W We're trying to figure out what security issues there are with this and decide if we should split Domain's into two.. one for staff 'mail & file server etc' and one for production 'web, Api, DB' etc.  Below is the rough setup.

Public web server -Non Domain -  Public facing - non restricted.
API server - Non Domain - Public facing - restricted
MS SQL DB servers -  Outbound only
Mail - Public facing
Files servers - Non-Public facing
PCs and other internal servers live DCs and vCenter servers - Non-Public facing

The CTO would like the production servers (web, api, mobile app, DBs) to be on their own domain and the office (mail, file, vCentre) to be on a new Domain.  I'd like to know if there is a real security risk with them being on the same domain that would be mitigate by being on a different one?

The office and server room are fairly secure.  All our servers are currently here.
The production servers are currently here but are moving to a data centre very soon.  It's highly secure

Please let me know if you need any more info.
Avatar of Lionel MM
Lionel MM
Flag of United States of America image

Let's assume you have two scenario--one with all the required security and with all the system son the same domain and a second scenario also with all the required security but with two different domains--then the second would be more secure only because it would provide one more layer, one more piece of information that wold have to be overcome before attacking any of these systems. However even having both domains on the same IP subnet would make it easier to attack so you should have them on a separate subnet. The main question is what are the actual pieces of software involved with the interaction with the outside world, what is the public web server and what is the API server -- do these use software that are secure and that get frequent security updates -- I think that is the more important aspect of your question.
Avatar of wannabecraig


One of the things we are doing is moving subnet and using vLANs to separate the layers.
So they will be separated.  But we could have one domain and two sites on different subnets sharing an AD OU.  Considering that secaniro, are we still much better off splitting the Domains?

Remember, we're moving off site to a more secure data centre for our productions (public facing) servers, if we're integrated in AD with our less secure office AD environment is this not a risk?  

The Api and Website server are both MS servers one is 2008 and the other 2012. We scan for vulnerabilities both externally and internally on a regular basis and while not 100% patched, all critical and high vulnerabilities are patched.

It sounds like you are already doing this, but the first step would be to isolate your public facing servers in a DMZ. There should be one firewall layer between your public facing servers and the internet an another layer between your public facing servers and your internal network. There should be very limited access in and out of the DMZ to both the internet and the internal network.

An AD forest is a security boundary, not a domain. I would create a new forest for your DMZ. The advantage of this is that you can set more stringent security policies in your DMZ and you can use totally separate accounts for access. A security breach in one forest would not automatically allow access to the other forest.


Webserver and App server are in a DMZ.  They are not on the Domain. These need to be open to any traffic. This only has access to our API layer on one port and not production layer.

Of a different subnet is the API server, we send and receive info to/from this to specific sites. This subnet is open to only certain services (sftp xfers etc)  This only has access on a few secure ports to the production/SQL servers layer.

Then the production layer is only accessible from our office LAN on a few ports (auth and SMB/RDP/http etc)

The security and  access is pretty decent, I'm just concerned about the single Domain and want to address that specifically
So, from a domain standpoint, your most secure method would be to create a new AD forest. You would gain nothing by simply creating a new domain in your current forest.

And migrating the current mail and AD data across is to the new Domain in the new forest is a huge deal?  Or are there safe tools for this?
No, I would not migrate anything. Keep your internal systems in the current forest. Create a new forest for your web server and related servers that are accessed by your customers.

But we can't do that.  The production servers and office servers are currently on one Domain.  We'd have to move the production servers out of the Domain into a new one.  This would be a lot of risk and dowmtime.  We're a 24x7 business so may not be able to do that.
You can migrate your office servers to a new forest but it will be a significant amount of work.

If the prod servers are in the data center and have an rodc, that would still add an additional layer of security without unnessarry complexity

My question is why are your production web servers domain joined at all???  I like those to be off in a data center without any ties to the office at all. Maybe a Von tunnel if you really need one for deployment / testing but usually even that can be avoided.
I understand that they should not be on the domain, but I wasn't hear at the beginning and the guy who was here set them up that way not understanding the risks. We are where we are.

There will be a VPN.  And yes, the RODC is a option I think I'll look into as an extra security option.
Can we lock those machine on the production site to only take info from the RODC on that site?

What is more problematic is that somebody compromises this site and then compromises that site too.
This site is easier to gain access to that the production one.
The RODC would be used by default and other DCs would only be contacted if that DC didn't respond. I would put two RODCs in that sit ethem use the firewall to black access to your DCs in The office, except from the RODCs.

At some point management needs to understand that this is PCI and it has to be done correctly. It's this way because that's how the last guy set it up isn't a valid argument when the lawyers come a knocking. Don't worry about how it is now, if production needs to be completely separate, design it that way even if the transition is difficult.
The safer option might be moving the production servers onto their own Domain.
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial