I'm currently managing a network with two main VLANs: 'external', which contains publicly accessible systems secured with firewalls, and 'internal', which has the majority of endpoints behind NAT on a 10.x.x.x range. The legacy Domain Controllers (DCs) are located on the external VLAN for a few reasons, mainly because devices on the internal VLAN can communicate with some on the external VLAN through their firewalls, though not vice versa. I'm tasked with upgrading these DCs from Windows 2019 to 2022, and I'm wondering if it would be better to move them to the internal VLAN. However, I'm concerned about how this would affect their DNS registration with Active Directory, given that internal IPs might not be visible externally. Would it make sense to have some DCs in each VLAN, or perhaps utilize a MIP for the internal DCs? What challenges should I anticipate?
3 Answers
I recommend placing the Global Catalog on the internal VLAN for security, while a Read-Only DC could go in a DMZ if you need external access.
Definitely hold off on using 2025 for your DCs right now. There have been numerous reports of issues, particularly with DC functions. Stick with 2022 or wait a few months if your team is pushing for the latest version.
Many enterprises are running 2025 without issues, but they do come with new security defaults that can cause headaches if not properly configured.
You really should consider structuring your VLANs based on device types. Use a DMZ for any public-facing servers, a dedicated server VLAN for your DCs and DNS/DHCP services, an internal VLAN for managed devices, and perhaps separate VLANs for guest or IoT devices. It adds layers of security.
I get what you're saying, but unfortunately, I'm not able to create new VLANs, even though we already have some for guests. It's a bit restrictive on my end.
That's a smart move! The latest software can often bring more trouble than it's worth, especially if the existing setup is working fine.