I'm designing a new Active Directory network for my company. Do you recommend placing a domain controller within...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Generally speaking, it's not a great idea to place domain controllers within the DMZ.
As you're probably aware, the primary advantage of a DMZ is that it provides a neutral ground, typically for services that must be accessed by both internal and external users. The compromise of a system within the DMZ will not jeopardize the security of systems located within the secure internal network.
Domain controllers, by their nature, are some of the most highly valued assets within the organization. These are the servers that control access to the resources on a Windows network, including the Active Directory database. If an attacker is able to compromise a domain controller, he or she essentially owns the entire Windows infrastructure. Therefore, given the immense importance of keeping it protected, I don't recommend placing a domain controller within a DMZ.
The most common solution that I've seen out there is to build the DMZ servers as standalone servers. If Active Directory authentication is required to allow internal users privileged access to those servers, use LDAP authentication back to the domain controller on the internal network. If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ and then using a one-way trust mechanism that permits systems in the DMZ to trust user accounts within the internal forest.
Dig Deeper on DMZ Setup and Configuration
Related Q&A from Mike Chapple
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.