Tagged: Active Directory
stephenmbellMemberNov 16, 2019 at 4:25 pm #624838
Hello all —
I have a rather small AD environment – but – some firewalls between some of my DCs. As a result, I would like to know the best way to control the flow of replication.
I’ve got 1 forest, 3 domains – 1 parent, 2 children. The parent domain is for my corporate infrastructure – Call that company.pri. I’ve got a child domain that is for all of my retail (POS) systems across 400 locations – retail.company.pri. Because of the retail nature of our business, and PCI requirements, I have a second child domain – ops.company.pri – this is for other (NON POS) systems in our retail locations.
In root domain – there are 5 domain controllers spread across 3 AD sites. Corp (2), Warehouse (2), DR (1).
In retail domain, there are 3 domain controllers spread across 2 AD sites. Retail (2), DR (1)
In ops domain, there are 3 domain controllers spread across 2 AD sites. Retail (2), DR (1).
Retail DCs and OPs DCs are in the same AD site because of subnets. Each retail location is a /24 network – think 172.17.100.0/24. Within each /24, the network is broken into /26 subnets. Retail domain is the first /26 and Ops domain is the second /26. In my AD site – I have 1 large subnet tied to the retail AD Site – 172.17.0.0/15. I’m not sure if it would be better or worse to split the large subnet into 800 /26 subnets and break retail and ops into their own sites.
Ideally, I think for security – it makes sense to segment our network so that ops systems cannot communicate with retail DCs. This would involve preventing replication between retail and ops domains directly (they are in the same site).
I’ve got a firewall between Corp AD site and Retail AD site. Firewall between retail DC’s and ops DC’s within the Retail site. Firewall between Corp and DR, Warehouse and DR, Retail and DR. And another between corp dc / retail dc / ops dc in DR site.
Everything I’ve read says – YOU ARE NOT SMARTER THAN KCC when it comes to replication and resiliency. I believe them. I’m probably not. However, KCC does not know about my firewalls and security requirements.
How would you tackle this?
You must be logged in to reply to this topic.