Short version: How do you prevent an Active Directory 2012 R2 Domain Controller from advertising the domain on a specific interface? I want that network to not be flagged as a domain network, and no domain services should be available.
Environment: A self-contained AD for managing a small hyper-v cluster and the related VM's. The DC also runs the VMM server and has access to the production network because of the need to reach the VMM console.
Long Term Goal / Potential Solution: I would like to have absolutely no non-VMM traffic reach the production network. I have considered just blocking all non-vmm outgoing connections with the windows Firewall, but I don't know how to force a particular profile on an interface.
Thanks!
If the domain controller is not part of your production AD but instead manages its own one, it will not advertise itself as a domain controller for your production domain(s). It should of course use itself as its DNS server, thus it will not even talk to your production DNS servers.
Furthermore, you can disable all Microsoft networking protocols on the production network by unchecking the "Client for Microsoft networks" and "File and printer sharing for Microsoft networks" on the network interface connected to your production network, and also by disabling NetBIOS on the TCP/IP properties of the same interface; TCP/IP will remain operational and you will thus be able to RDP into the server and even connect to the VMM console, but no Windows-style networking will take place on that interface.
You should also disable DNS registration on the production network interface, or your internal DNS will get polluted by the DC registering its production-facing IP address for internal domain services.