Sergey Nivens - Fotolia

Get started Bring yourself up to speed with our introductory content.

Can a read-only domain controller maximize DMZ security?

Are read-only domain controllers a more secure option for setting up domain services in a DMZ than using a separate domain? Expert Kevin Beaver explains.

Given the improvements made in read-only domain controllers (RODCs), is a separate domain in the DMZ with a one-way...

trust relationship still the most secure option when setting up domain services for DMZ security?

We first saw Windows read-only domain controllers in Windows Server 2008.

The premise of a read-only domain controller is to maximize security where security is often out of your control -- such as physically-vulnerable server rooms in branch offices, as well as DMZs or extranets where traffic is suspect at best. There are other use cases -- such as commercial off-the-shelf software -- that requires a dedicated or otherwise nearby domain controller. The ultimate goal is to prevent an attacker from corrupting Active Directory.

Setting up a read-only domain controller in your scenario can be a great solution -- especially if there's a risk of someone gaining access and not only reading, but also writing to the Active Directory forest. Is it the most secure? While there may be additional cloud-based options that could work in this scenario, the one-way trust aspect of what you're proposing can certainly be helped by a read-only domain controller. Overall, it depends on factors and information not provided, such as physical location, network architecture and the security of the application(s) being used.

In the end, you need to consider the threats, the vulnerabilities and the specific business risks. If you believe they're all manageable or if you perform a penetration test of the environment and everything checks out okay, then you're on the right track.

Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)

Next Steps

Learn more about security and read-only domain controllers

This was last published in August 2015

Dig Deeper on Enterprise network security