Placing AD/DC in same subnet as applications servers or segregate by firewall/ACL

We are setting up a new domain, designated for a critical sensitive applications with its own AD/DC.

Is it Ok for the AD/DC servers to sit in same subnet as the apps servers    Or
should we segregate into separate subnets?

If separate subnets, segregate by router ACL is enough or firewall?

What's the reason & the best practices out there?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
For this new apps project, we have 2 sets of servers, the web servers which I will put in DMZ & certainly
segregated from the AD/DC's subnet.   As we are short of firewall leg, thought of putting the set of
apps servers in the AD/DC subnet : what's the risks of doing this?
This is a bit of a "how long is a piece of string" question. It really depends on the security posture of your business and the security culture. Some companies require DC's to be network segregated and protected by host based as well as network firewalls. The DC's might need to be physically secured in cages within the data centre. Other companies do not particularly care. Many I come across internally do not even enable host based firewalls to reduce their surface attack area. Technically there is certainly no problem doing what you want to do, and even from a security point of view there is not necessarily an issue. You can mitigate most issues with host based firewalls like the built-in Windows firewall.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Would it be a good practice to segregate the DCs from the apps servers into separate subnets to minimize the chances of 'broadcast storm' (separate collision domains) : is this a good practice in terms of network design?
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

If there is a specific issue you are trying to mitigate, then you should totally do it. If you're concerned about broadcast storms impacting connectivity to the DC's or DC connectivity then put them into a separate subnet. AD is a very resilient to most issues. I would say if you want your DC's on a separate subnet, go for it. If not, then don't. I have had outages caused by broadcast storms before, but to be honest it really didn't matter what subnet the DC's were on because the core switches melted and fell over. Someone with a more specific network related background might give a different answer from a network point of view.
sunhuxAuthor Commented:
>  Someone with a more specific network related background might give a different answer from a network point of view
Thanks Learnctx.  Anyone from network background care to share further?  I'll leave this thread open for a few more days
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.