For a better understanding about this technology I advise to address on the following references:
I want to add a little to this information.
In view of that there is a possibility of isolation not only domains, servers, the computers which are not entering into the domain. There is also a possibility on isolation of the computers entering into the existing MS Windows domain. Tell, and for what it can be necessary? For example, for isolation of the kopyyuter entering into the MS Windows domain which appeared are infected with a network virus (worm) but for which access to some resources of the domain is necessary. Not absolutely safely, truth? But, we will protect other computers of a network from direct interaction with the infected workplace. Besides, always there is a possibility to protect this computer and physically, having forced it to work through the allocated station of safety, for example, as through a lock which, in turn, will begin to block an undesirable traffic. All this quite flexibly can be adjusted for rainy day by means of AD (GPO) security policies, and then, as required, to add in this policy the hosts needing isolation. It is worth to remember also and about possibility of a filtration of a traffic on ports with IPSec use since it can protect from some types of network viruses which use not system ports for the work. But, unfortunately, such possibilities modern viruses leave ever less. And everywhere IT services divisions still use the NetBIOS protocol for the publication of the general resources in a network that harmful influences security of hosts in a local network. And it was possible to use AD possibilities for the publication in the AD catalog, then the quantity used system ports on hosts in a network was reduced a little, system resources from refusal of use of superfluous services would increase, there would be impossible an infection with some network viruses and would make impossible attacks to the NetBIOS protocol. Yes, for critics, in such policy of the organization of the domain it is possible to add and exceptions to the rules, for print servers, for example.
I will add from myself still that the present possibilities already were present from the MS Windows 2000 platform, but nobody paid to them attention, or didn’t want to study new possibilities on improvement of level of safety in the MS Windows network and whether a little still why. And still the present possibilities of very few people uses.
The author of these lines already used possibilities on isolation of domains in the work in 2004, but then to me the organizations which would like to improve information security didn’t meet and to simplify response to these or those инцинденты information security though offers were brought by me and I acquainted the management with this technology. And it is a pity! It is not necessary to mark time, it is necessary to develop infrastructure and completely to use the possibilities offered by the producer of these platforms – Microsoft, instead of to look for not certificated and doubtful decisions of foreign producers which, as a rule, aren’t free and demand additional financial allocations.
Small addition to this article. Isolation of domains can be realized with IPSec use, without installation of additional components as it advises Microsoft, will work without problems. It is a pity, what about it there is no mention on a site of technical support of Microsoft, probably, they and didn’t think of such possibility? 😉 Good luck!