The old school of thought was that application and database servers should not be part of the domain. I have my network setup such that only the app servers can communicate with the db servers. The app servers are in their own workgroup and the db servers are in their own workgroup. The servers are completely isolated from the rest of the network and developers get access via vpn/rdp. Is this still a good way setting up the infrastructure?
The reason I ask is that I'm finally updating the environment with Active Directory and there is a window to redesigning the network architecture if it is appropriate.
I'm not really a sys admin, but need to fulfill the role...
EDIT
I really appreciate everyone's patience and assistance. I know very little about Active Directory. My main concern is that a user machine will be compromised (zombie) and that this compromised machine could be used to access production servers via AD. Using AD would make my life a lot easier, but a single compromise would devastate the company. Right now, there is very little possibility of an unauthorized user getting access to internal production servers.
In any event, it seems that the consensus is that AD does not add risk to production servers and it is a generally acceptible practice to do so. So, I suppose I should start ramping up in my knowledge of AD and correct setup or see if there is a local expert who can do this.
Thanks for all the info.
There is a reason why large enterprises use Active Directory. It makes more sense. Things to consider:
Look, you can still hardware firewall the key servers off, and that's a good idea, carving the appropriate holes so these server can talk to DCs and so clients can only talk to these servers on the right ports. For instance, there's no reason why an end user should have NetBIOS access to a database server. And there's no reason the file server needs to talk to the SQL Server, so don't let them. And then you restrict the overall surface area.
I'd put them on; at the very least the gains from integrated authentication far outweigh any perceived downsides. Overall management of the OS will be made a lot smoother, and if your apps and dbs have a security model that enables them to have their own dedicated admins and that doesn't grant standard domain admins full access to them, you're not really losing anything there.
I'm not sure if worries about your AD being compromised are valid here. If your AD is compromised, surely that means that you've got bigger problems anyway?
I can't think of a single good reason to segregate DB and App servers from the domain. We're running untold amounts of SQL and Oracle servers, and application servers (in excess of 100), in our forest.
I dread to think what a logistical pain in the neck it would be for us to operate if they were segregated into workgroups.
Complexity is the enemy of security. Put your servers inside Active Directory.
AD & the domain allows central management of the server restricting things like user accounts, GPO, internet browsing, installing software, the list is endless. Not to mention password resets if an account that is used on 10 machines is compromised, since in a work group its 10 machines to login to and reset, now if that was 100 machines thats crazy, not to mention if you miss one machine you have a hole. Unless you start scripting all that out.
If seperating the production machines from the workstation network is really what you want to do then you can firewall between the two networks and still have the on the same AD.
Or have 2 completely independant domains with trusts (or not) between them as needed.
or have a domain with 2 forests
or well the list is endless its really what your needs are.
One of your concerns is a user's machine being infected with a virus and then infecting the production server if it's they are both on AD. AD does not work like that. AD is in itself a database of your domain.
If machine A has a virus and has network access to machine B, then machine A can attack machine B. There is no AD involved. Machine A is just doing what a virus does to attack another machine. It can try and brute for machine B, it can try an RPC attack and so on. AD has nothing to do with enabling that attach. What is needed in this case is a firewall between the 2 networks. So you would have Network A for workstions and Network B for production. That is a common setup in companies is how you prevent what you are worried about.
Check out Evan's answer about what AD is.
I'd put the servers inside AD, as everyone else is suggesting. If you're really concerned about security, put those specific servers on a seperate VLAN and only allow them to communicate to specific hosts on specific ports. This will prevent RDP, UNC access, etc etc and only allow what's necessary.
I agree with Izzy. Domains make managing those servers MUCH easier which in turn can make them more secure.
It seems you know a bit of AD, but not a whole lot, so I'm going to suggest that you go and take either a introductory course on AD, or a more in-depth course on AD and Windows Server Management as a whole. It will answer tons of your questions, and the people administering the course should be able to answer some of your questions with hypothetical scenarios. You should be able to pitch your current network layout to them, and they should give you suggestions on where to improve, why integrating the servers into AD is a good idea, how to secure people out of them, etc.
Chances are, if your company values you as a sysadmin, they might pay for your courses as well, which is a bonus.
But I'm going to go with everyone on this: Definitely add your servers to AD, but do it right. I'm not at liberty to say exactly what is right for your organization, because I don't know anything about it, but lock it down as much as you can without making it unusable to the people that need to use it.
And here's a hypothetical situation that might make you think again about adding your servers to AD: You have a developer or fellow system admin, who is terminated. Your boss calls you up and says "This person MUST be locked out of the system IMMEDIATELY. We suspect they may be attempting to steal HIPAA protected information from us, and he no longer works here. Lock him out now." (I'm assuming you guys have data that is covered under HIPAA, as you mentioned healthcare)
With your current setup, not only do you have to lock out his AD account, but you also have to go to each server, and disable his account there as well. If the servers were in AD, you could instantly disable his access to those servers in less than 30 seconds. It's a simple matter of: RDP to DC, Open Active Directory Users and Computers, Right click on his name, Click Disable. Bam, done. He's locked out.
But definitely, get those into AD as soon as you understand the best way to keep them secure.
Servers in workgroups are a management nightmare for most networks. The security gained is more imaginary than real. If a compromised machine has permissions to access the server it matters not one iota whether it's a workgroup or domain server. As permissions are very much easier to manage at the domain level I believe having servers in the domain actually enhances security, provided of course it's all done properly.