We are setting up a new domain, designated for a critical sensitive applications with its own AD/DC.
Is it Ok for the AD/DC servers to sit in same subnet as the apps servers Or
should we segregate into separate subnets?
If separate subnets, segregate by router ACL is enough or firewall?
What's the reason & the best practices out there?