Toms right, that’s a real hard question to even answer without understanding what the end game is.
What end game does this work (better) in? A flat network with 10 users and a printer? I guess.
Sticking a RODC in every segmented network sounds like a ton of work. And not great for security, or at least a lot more work to match the routing approach.
Educate me if I’m missing something obvious.
RODC use case is primarily for remote offices on slow links…
Typical best practice for VLANs/Subnets MS Domains is based on the assumption that you have or will have multiple sets of clients across multiple buildings, floors etc.
When you shrink it down to a small office/home lab most of security/management gains of the subnets disappear. Plus the Windows firewalls pretty much police all the client → server traffic.
Only plus I can see for DCs and/servers being separate is to allow for different subnet → WAN firewall policies - similar to what you need for DMZs.
My personal recommendation having used many of them is Palo Alto and Fortinet.
I think it is important to have something that can block/filter traffic that is out of band from the OS. It is common that the AV/EDR is disabled if a system is compromised. If you have a firewall between systems this will be able to catch a compromised system otherwise you may never know until it is too late.
Good security is about layers, not just one tool.
agreed with @pjdouillard
Why am i placing a DC in the same subnet as my staff network? Im not following the logic of segmentation here. Also how does this work in an inter-vlan environment?
OP was just asking simply what ports should be opened up. We are overly complicating this by talking about Azure , etc…
Please segment your DC and do not put this on the same network as your users. Thats nonsensical.
define the parameters of NGFW. Its a buzz word.
It boils down to SSL inspection. If your firewall does it then generally its considered NGFW. But perhaps there are more criteria we should be looking for?
This is not best practice anywhere.