I am not sure my Discussion is placed here correctly. Maybe my google skills are just not adequately, but I would appreciate if anyone can point me in the right direction.
The question: How do you handle network separation and accounts for Windows Servers: RODC, new AD with maybe account sync, ...?
Our situation: We have an Active Directory with a couple of DC for your client computers and a bunch of server and also 2 RODC for some servers. Furthermore we have a separate network for the building management system (BMS), housing services from air conditioner, over taking measurements, to smoke detectors. At the moment there are a couple of Windows Servers in this BMS network. They are not Domain joined and have local Admin Accounts. From a security perspective this is not ideal.
The goal: We have external contractors who need to access parts of the BMS network. Firewall and VPN are in place and we use the Active Directory Accounts (via LDAP) to manage the VPN access to the BMS Network.
Since we already operate 2 RODC we would let the BMS Server join our Domain and establish a connection via the RODC.
My Problems: Our security specialist - overseeing the firewall - pointed out, that the RODC has an IPsec Tunnel to the DC. We can limit the connections to the RODC, but if it would be compromised the consequences are hard to predict. (His expertise is not windows and therefore he doesn’t know the best solution.) The other extreme is to setup a new Active Directory for this network, but it might be a bit overkill.
I have no idea, what the officially supported Microsoft way would be. I did a google search but most results are more aligned with the tier model.
Does someone maybe know where I can find an official documentation? Do you have a similar setup and how did you handle the challenge?