Do I need to split my Domain from Office and Production

We're in a 24x7 PCI business.  It evolved from a small 10 user organisation with a small customer base to over 100k customers and 100 staff.  Currently we use the same Domain for out business facing servers and our office servers. W We're trying to figure out what security issues there are with this and decide if we should split Domain's into two.. one for staff 'mail & file server etc' and one for production 'web, Api, DB' etc.  Below is the rough setup.

Public web server -Non Domain -  Public facing - non restricted.
API server - Non Domain - Public facing - restricted
MS SQL DB servers -  Outbound only
Mail - Public facing
Files servers - Non-Public facing
PCs and other internal servers live DCs and vCenter servers - Non-Public facing

The CTO would like the production servers (web, api, mobile app, DBs) to be on their own domain and the office (mail, file, vCentre) to be on a new Domain.  I'd like to know if there is a real security risk with them being on the same domain that would be mitigate by being on a different one?

The office and server room are fairly secure.  All our servers are currently here.
The production servers are currently here but are moving to a data centre very soon.  It's highly secure

Please let me know if you need any more info.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lionel MMSmall Business IT ConsultantCommented:
Let's assume you have two scenario--one with all the required security and with all the system son the same domain and a second scenario also with all the required security but with two different domains--then the second would be more secure only because it would provide one more layer, one more piece of information that wold have to be overcome before attacking any of these systems. However even having both domains on the same IP subnet would make it easier to attack so you should have them on a separate subnet. The main question is what are the actual pieces of software involved with the interaction with the outside world, what is the public web server and what is the API server -- do these use software that are secure and that get frequent security updates -- I think that is the more important aspect of your question.
wannabecraigAuthor Commented:
One of the things we are doing is moving subnet and using vLANs to separate the layers.
So they will be separated.  But we could have one domain and two sites on different subnets sharing an AD OU.  Considering that secaniro, are we still much better off splitting the Domains?

Remember, we're moving off site to a more secure data centre for our productions (public facing) servers, if we're integrated in AD with our less secure office AD environment is this not a risk?  

The Api and Website server are both MS servers one is 2008 and the other 2012. We scan for vulnerabilities both externally and internally on a regular basis and while not 100% patched, all critical and high vulnerabilities are patched.
Jamie McKillopIT ManagerCommented:

It sounds like you are already doing this, but the first step would be to isolate your public facing servers in a DMZ. There should be one firewall layer between your public facing servers and the internet an another layer between your public facing servers and your internal network. There should be very limited access in and out of the DMZ to both the internet and the internal network.

An AD forest is a security boundary, not a domain. I would create a new forest for your DMZ. The advantage of this is that you can set more stringent security policies in your DMZ and you can use totally separate accounts for access. A security breach in one forest would not automatically allow access to the other forest.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

wannabecraigAuthor Commented:

Webserver and App server are in a DMZ.  They are not on the Domain. These need to be open to any traffic. This only has access to our API layer on one port and not production layer.

Of a different subnet is the API server, we send and receive info to/from this to specific sites. This subnet is open to only certain services (sftp xfers etc)  This only has access on a few secure ports to the production/SQL servers layer.

Then the production layer is only accessible from our office LAN on a few ports (auth and SMB/RDP/http etc)

The security and  access is pretty decent, I'm just concerned about the single Domain and want to address that specifically
Jamie McKillopIT ManagerCommented:
So, from a domain standpoint, your most secure method would be to create a new AD forest. You would gain nothing by simply creating a new domain in your current forest.

wannabecraigAuthor Commented:
And migrating the current mail and AD data across is to the new Domain in the new forest is a huge deal?  Or are there safe tools for this?
Jamie McKillopIT ManagerCommented:
No, I would not migrate anything. Keep your internal systems in the current forest. Create a new forest for your web server and related servers that are accessed by your customers.

wannabecraigAuthor Commented:
But we can't do that.  The production servers and office servers are currently on one Domain.  We'd have to move the production servers out of the Domain into a new one.  This would be a lot of risk and dowmtime.  We're a 24x7 business so may not be able to do that.
Jamie McKillopIT ManagerCommented:
You can migrate your office servers to a new forest but it will be a significant amount of work.

Aaron TomoskyDirector of Solutions ConsultingCommented:
If the prod servers are in the data center and have an rodc, that would still add an additional layer of security without unnessarry complexity

My question is why are your production web servers domain joined at all???  I like those to be off in a data center without any ties to the office at all. Maybe a Von tunnel if you really need one for deployment / testing but usually even that can be avoided.
wannabecraigAuthor Commented:
I understand that they should not be on the domain, but I wasn't hear at the beginning and the guy who was here set them up that way not understanding the risks. We are where we are.

There will be a VPN.  And yes, the RODC is a option I think I'll look into as an extra security option.
Can we lock those machine on the production site to only take info from the RODC on that site?

What is more problematic is that somebody compromises this site and then compromises that site too.
This site is easier to gain access to that the production one.
Jamie McKillopIT ManagerCommented:
The RODC would be used by default and other DCs would only be contacted if that DC didn't respond. I would put two RODCs in that sit ethem use the firewall to black access to your DCs in The office, except from the RODCs.

Aaron TomoskyDirector of Solutions ConsultingCommented:
At some point management needs to understand that this is PCI and it has to be done correctly. It's this way because that's how the last guy set it up isn't a valid argument when the lawyers come a knocking. Don't worry about how it is now, if production needs to be completely separate, design it that way even if the transition is difficult.
wannabecraigAuthor Commented:
The safer option might be moving the production servers onto their own Domain.
Jeff GloverSr. Systems AdministratorCommented:
After reading your original question and all the comments, I wonder. What is the big deal? I assume you have a firewall, Correct? And are using private IP ranges inside? You already said your Web and API servers are not on your domain so I assume they are also port locked down? Are they NATTed with a Firewall? You also said you have a DMZ. So is the issue the company does not want to have AD use the same internal name as your domain?  This, contrary to other opinions, is not that big of a deal according to Microsoft now (as opposed to years ago). Seems the only servers on your domain that have any connections outside are your Exchange and SQL. (not sure with SQL. Are they connecting externally or just to the DMZ?) For Exchange, you can always put up an edge server if that bothers you.
  Putting another domain in the DMZ really serves no purpose other than to make it easier for management and perhaps for a hacker to gain access to the API servers after hacking the Web ones.  Of course, I may be missing something here.

With 100K customers, I would look at moving your webservers to a hosted environment.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.