The world's most trusted forum on Active Directory Security

Post Info TOPIC: Cloud AD forest in the DMZ


Posts: 1
Date: Jan 21, 2011
Cloud AD forest in the DMZ

Does anyone have any objection to placing a Domain in the DMZ network?

I was asked today to set up a Domain Controller in the DMZ for a cloud-based initiative that a company is trying to put together. SharePoint is being used for this and needed a domain to use for auth, etc.

When they asked me about how they can send auth requests back to the prod. domain and asked me if I can build a DC in the DMZ, my jaw hit the floor. At first, I suggested that they just open the ports for the server to communicate from the DMZ to the private network and target just the servers that it needed access to, while restricting everything else. At first I thought that was a bad idea....

Going back and forth with the resident security guy that doesn't know a thing about AD design and securing AD, I resigned to building a new forest in the DMZ and then creating a one-way trust with the private forest on the private network. (DMZ domain trusts the private domain) so that we can leverage private domain security principles on the DMZ domain resources (SharePoint), without compromising the integrity of the private domain.
Any thoughts on this?



Posts: 16
Date: Jun 27, 2012
RE: Cloud AD forest in the DMZ


I agree with you that anyone who suggests putting a corporate forest's DC in the DMZ does not really understand the serious implications of doing so! 

I think your idea of putting a new forest in the DMZ and then establishing a one-way trust sounds like the most securable way to approach the requirement.


Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me