We are redesigning our network security, and we have a need to prohibit network traffic flowing between domains which are members of a forest root domain, which is the resource domain. Right now, this is how our structure looks:
As you can see, we have some child domains and tree domains, and Active Directory chooses a DC at random to synchronise with.
What we need to move towards is a design in which Active Directory servers only synchronise with servers in the same site, and/or the forest root domain controllers only. One child domain should not have any dependency or need to talk to another child domain, because essentially, our network design must not allow it.
This is what I want to achieve:
What steps do I need to take to obtain my goal? I can think of some of them, but I'm sure I'm missing something:
Create Sites for each Domain
Create site links for each site to talk to the Forest Root Site
If you can help me with the other necessary steps, that would be very appreciated.