I'm designing a new Active Directory network for my company. Do you recommend placing a domain controller within...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Generally speaking, it's not a great idea to place domain controllers within the DMZ.
As you're probably aware, the primary advantage of a DMZ is that it provides a neutral ground, typically for services that must be accessed by both internal and external users. The compromise of a system within the DMZ will not jeopardize the security of systems located within the secure internal network.
Domain controllers, by their nature, are some of the most highly valued assets within the organization. These are the servers that control access to the resources on a Windows network, including the Active Directory database. If an attacker is able to compromise a domain controller, he or she essentially owns the entire Windows infrastructure. Therefore, given the immense importance of keeping it protected, I don't recommend placing a domain controller within a DMZ.
The most common solution that I've seen out there is to build the DMZ servers as standalone servers. If Active Directory authentication is required to allow internal users privileged access to those servers, use LDAP authentication back to the domain controller on the internal network. If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ and then using a one-way trust mechanism that permits systems in the DMZ to trust user accounts within the internal forest.
Dig Deeper on DMZ Setup and Configuration
Related Q&A from Mike Chapple
The FTC was granted authority in enterprise cybersecurity regulations. Expert Mike Chapple explains what this means for organizations.continue reading
PCI DSS is pretty specific about security, but does it do enough for mobile payment security? Expert Mike Chapple explains why he says yes.continue reading
The U.S. government has been criticized for its lack of updated privacy regulations. Expert Mike Chapple advises enterprises that want to bolster ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.