Domain Server or Vlan or is it a combination of all and many others

All,

Could you please advise the best way tackling the issue we have best way, currently I am planning to setup a network for different application within a small user environment.

The network will consist of 6 different applications, these are

a) Normal Domain controller users with Printers and file sharing facility. (IP address range will be 10.10.x.x/16 )

b) VoIP system for the above users currently there is a PBX box which servers all Telephone routing, so the users only need an IP to be issued from the above server different to PC applications, all connection it requires will only
be outside facing Internet communication with pre-defined open ports for VoIP communications. (IP address range will be 10.20.x.x/16 )

c) Media Centre, this will have access to server dependant on the type of machine which is connected to the server, if the machine which is connected to the system is like TV then the server will only assign it with IP address, if in
other hand the machine which is connected is PC type then it will be assigned network share folder drive. (IP address range will be 10.30.x.x/16 )

d) CCTV system, this will be connected to the same system, again like the VoIP it will be assigned with different IP address to any other system, the assignment of this will only have access to the outside Internet only and will not
be allowed to see any internal network systems. (IP address range will be 10.40.x.x/16 )

e) Closed system for application and systems where internet access not provided and not required, this access will allow any machine or user connected to this will only be assigned an internal IP address where they will not be
able to see any of the outside world, at the same time they will not be assigned any shared drive also. (IP address range will be 10.50.x.x/16 )

f) Dirty system, this is as the name suggest it will used for any guest wanting access to Internet for temporary bases, they will be put outside the firewall facing the public. (IP address range will be 10.60.x.x/16 )

g) The last point in this setup will be, none of the above should be able to cross talk, e.g any equipment which is connected VoIP LAN must not see CCTV, Closed, Normal DC or Dirty IP address or PING to it.

Now there are many suggestions I was considering based on the above brief,

  1. The 1st solution I had in mind was to create every IP address with in the firewall and serve it in VLan arrangements Layer 2 switch, this will cut down the number of servers it is required to run and manage. This is similar to the old ISA and Domain server arrangement in old Windows 2008 R2, as currently Microsoft is no longer providing ISA server any longer hence the above arrangement.

  2. If the above route is considered or taken, then LDAP and other certificates will be required to manage users and machines access and egress by synchronizing it with the firewall system. Thus this will lead us to have one Domain Controller server to manage and maintain.

  3. The other option would be to have a number of servers within Primary Domain Controller (PDC) and add as many tree or child server to generate and manage all areas apart from Normal Domain as this will be server by the
    PDC, the others we mean by such as CCTV, HiFi etc… will be managed by their allocated child server.

  4. I am sure there are more than one way to skin the cat, if anyone can think even a better way than what I have listed, I am open for any suggestions.

Once again many thanks for all your comments in advance.