I was at a customer recently and they had implemented a network zone model that contained internal, replication zone and secure zone. On top of this an active directory domain had been placed, meaning there were DCs in all sones. All the zones were also sites in AD. the replication zone acted as a bridgehead site between the secure AD-site and the internal AD-site.
All client and servers are placed in the internal zone. all FSMO roles are placed on the DCs in the rep-zone. Client and servers have no access to DCs in rep-zone and secure zone, meaning there are several DCs that are unavailable for them. Replication is done with IPSEC between domain controllers. The secure zone contains clients and servers for applications containing person sensitive data.
In my book this is not a possible scenario. All clients need access to all DCs inside a domain. When a client asks for the domain in DNS, a list of domain controllers is presented. this list is completely random(round robin) and the client can pick any one of these to speak with. since the majority of DCs are unavailable there will be delays and slow logons etc, and this is exactly what users are complaining about.
Of course, cross-site communication can be optimized if you manage your site and subnets well. site link cost will limit access to DCs in a site far away, BUT in the end there will always be some clients that from time to time will try to access that unavailable DC, meaning strange error situations like the ones before mentioned.
Is this really a way to do it? Have I missed something essential here? Can one really design a network zone model, secure communications between the zones, and then place an AD on top of it?