Placing AD/DC in same subnet as applications servers or segregate by firewall/ACL

We are setting up a new domain, designated for a critical sensitive applications with its own AD/DC.

Is it Ok for the AD/DC servers to sit in same subnet as the apps servers    Or
should we segregate into separate subnets?

If separate subnets, segregate by router ACL is enough or firewall?

What's the reason & the best practices out there?
Who is Participating?
This is a bit of a "how long is a piece of string" question. It really depends on the security posture of your business and the security culture. Some companies require DC's to be network segregated and protected by host based as well as network firewalls. The DC's might need to be physically secured in cages within the data centre. Other companies do not particularly care. Many I come across internally do not even enable host based firewalls to reduce their surface attack area. Technically there is certainly no problem doing what you want to do, and even from a security point of view there is not necessarily an issue. You can mitigate most issues with host based firewalls like the built-in Windows firewall.
sunhuxAuthor Commented:
For this new apps project, we have 2 sets of servers, the web servers which I will put in DMZ & certainly
segregated from the AD/DC's subnet.   As we are short of firewall leg, thought of putting the set of
apps servers in the AD/DC subnet : what's the risks of doing this?
sunhuxAuthor Commented:
Would it be a good practice to segregate the DCs from the apps servers into separate subnets to minimize the chances of 'broadcast storm' (separate collision domains) : is this a good practice in terms of network design?
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

If there is a specific issue you are trying to mitigate, then you should totally do it. If you're concerned about broadcast storms impacting connectivity to the DC's or DC connectivity then put them into a separate subnet. AD is a very resilient to most issues. I would say if you want your DC's on a separate subnet, go for it. If not, then don't. I have had outages caused by broadcast storms before, but to be honest it really didn't matter what subnet the DC's were on because the core switches melted and fell over. Someone with a more specific network related background might give a different answer from a network point of view.
sunhuxAuthor Commented:
>  Someone with a more specific network related background might give a different answer from a network point of view
Thanks Learnctx.  Anyone from network background care to share further?  I'll leave this thread open for a few more days
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.