I'm designing a new Active Directory network for my company. Do you recommend placing a domain controller within...
Generally speaking, it's not a great idea to place domain controllers within the DMZ.
As you're probably aware, the primary advantage of a DMZ is that it provides a neutral ground, typically for services that must be accessed by both internal and external users. The compromise of a system within the DMZ will not jeopardize the security of systems located within the secure internal network.
Domain controllers, by their nature, are some of the most highly valued assets within the organization. These are the servers that control access to the resources on a Windows network, including the Active Directory database. If an attacker is able to compromise a domain controller, he or she essentially owns the entire Windows infrastructure. Therefore, given the immense importance of keeping it protected, I don't recommend placing a domain controller within a DMZ.
The most common solution that I've seen out there is to build the DMZ servers as standalone servers. If Active Directory authentication is required to allow internal users privileged access to those servers, use LDAP authentication back to the domain controller on the internal network. If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ and then using a one-way trust mechanism that permits systems in the DMZ to trust user accounts within the internal forest.
Dig Deeper on DMZ Setup and Configuration
Related Q&A from Mike Chapple
Are nonprofit organizations, like higher education institutions, subject to FTC cybersecurity regulations and oversight? Expert Mike Chapple explains.continue reading
It's important for healthcare organizations to have a clear social media policy. Expert Mike Chapple explains what needs to be in the policy to stay ...continue reading
SOC 2 evaluations can be helpful tools for organizations assessing their HIPAA compliance, but companies should not solely rely on them. Compliance ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.