So over the years I've isolated my vsphere environment from the production network with the exception of Active Directory. I have placed an RODC in the management network of my vsphere 5.5 deployment. Now that I'm starting to dig into vsphere 6 more it looks like active directory is taking a more "active" role in the vphere environment.
So I'm creating a test environment and setting up a test AD, vcenter, psc, etc... and so I started wondering if I should simply create a separate AD domain for my production vsphere environment.
Has anyone else created a separate domain just for vsphere or is this too much complexity? It could potentially bring a higher level of security because it would also separate DNS too which would effectively hide information about my vsphere environment and it would be one less hole or route between management and production networks.