Link to home
Create AccountLog in
Avatar of LesterClayton
LesterClaytonFlag for Norway

asked on

AD Sites Redesign - only allow Comms between Forest Root & Child/Tree Domain

We are redesigning our network security, and we have a need to prohibit network traffic flowing between domains which are members of a forest root domain, which is the resource domain.  Right now, this is how our structure looks:

User generated image
As you can see, we have some child domains and tree domains, and Active Directory chooses a DC at random to synchronise with.

What we need to move towards is a design in which Active Directory servers only synchronise with servers in the same site, and/or the forest root domain controllers only.  One child domain should not have any dependency or need to talk to another child domain, because essentially, our network design must not allow it.

This is what I want to achieve:

User generated image
What steps do I need to take to obtain my goal?  I can think of some of them, but I'm sure I'm missing something:

Create Sites for each Domain
Create site links for each site to talk to the Forest Root Site

If you can help me with the other necessary steps, that would be very appreciated.
Avatar of Mahesh
Flag of India image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of LesterClayton


Thank you, you've helped me fix my design by reminding me that Sites have nothing to do with it - I'm going to just have to use Active Directory Sites and Services to create connections to the parent DC's, and to DC's in the same domain, and remove the others which were automatically created :)