I'm designing a new Active Directory network for my company. Do you recommend placing a domain controller within...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Generally speaking, it's not a great idea to place domain controllers within the DMZ.
As you're probably aware, the primary advantage of a DMZ is that it provides a neutral ground, typically for services that must be accessed by both internal and external users. The compromise of a system within the DMZ will not jeopardize the security of systems located within the secure internal network.
Domain controllers, by their nature, are some of the most highly valued assets within the organization. These are the servers that control access to the resources on a Windows network, including the Active Directory database. If an attacker is able to compromise a domain controller, he or she essentially owns the entire Windows infrastructure. Therefore, given the immense importance of keeping it protected, I don't recommend placing a domain controller within a DMZ.
The most common solution that I've seen out there is to build the DMZ servers as standalone servers. If Active Directory authentication is required to allow internal users privileged access to those servers, use LDAP authentication back to the domain controller on the internal network. If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ and then using a one-way trust mechanism that permits systems in the DMZ to trust user accounts within the internal forest.
Dig Deeper on DMZ Setup and Configuration
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.