asked on AD Sites Redesign - only allow Comms between Forest Root & Child/Tree Domain
We are redesigning our network security, and we have a need to prohibit network traffic flowing between domains which are members of a forest root domain, which is the resource domain. Right now, this is how our structure looks:
![Current Setup]()
As you can see, we have some child domains and tree domains, and Active Directory chooses a DC at random to synchronise with.
What we need to move towards is a design in which Active Directory servers only synchronise with servers in the same site, and/or the forest root domain controllers only. One child domain should not have any dependency or need to talk to another child domain, because essentially, our network design must not allow it.
This is what I want to achieve:
![Desired Setup]()
What steps do I need to take to obtain my goal? I can think of some of them, but I'm sure I'm missing something:
If you can help me with the other necessary steps, that would be very appreciated.
As you can see, we have some child domains and tree domains, and Active Directory chooses a DC at random to synchronise with.
What we need to move towards is a design in which Active Directory servers only synchronise with servers in the same site, and/or the forest root domain controllers only. One child domain should not have any dependency or need to talk to another child domain, because essentially, our network design must not allow it.
This is what I want to achieve:
What steps do I need to take to obtain my goal? I can think of some of them, but I'm sure I'm missing something:
Create Sites for each Domain
Create site links for each site to talk to the Forest Root Site
????
If you can help me with the other necessary steps, that would be very appreciated.
Active DirectoryWindows Server 2012
Last Comment
LesterClayton
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you, you've helped me fix my design by reminding me that Sites have nothing to do with it - I'm going to just have to use Active Directory Sites and Services to create connections to the parent DC's, and to DC's in the same domain, and remove the others which were automatically created :)