(Originally posted in Windows Server Security, but wasn't sure if I would get a spcific Active Directory crowd there, so I am posting here as well... hope that is ok!)
I have a question; I am looking to take a relatively flat network and carve it up a bit - creating some new VLANS and separating server and client endpoints, etc. (with NG firewalls, and so on...)
Anyway... I am curious how folks are dealing with things like AD in this regard. Are you keeping full blown AD DS servers on the same VLAN as your client computers? Are you using RODC's instead? If you do have AD DS servers in a protected VLAN, how are dealing with the traffic that passses through firewalls? IPSec tunneling? Forcing AD communication to use specific ports?