ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


ActiveDirSec.Org -> Active Directory Trust and Domain Controller Security -> Cloud AD forest in the DMZ
Post Info TOPIC: Cloud AD forest in the DMZ
marcus-rivera


Newbie

Status: Offline
Posts: 1
Date: Jan 21, 2011
Cloud AD forest in the DMZ
 
 

Does anyone have any objection to placing a Domain in the DMZ network?

I was asked today to set up a Domain Controller in the DMZ for a cloud-based initiative that a company is trying to put together. SharePoint is being used for this and needed a domain to use for auth, etc.

When they asked me about how they can send auth requests back to the prod. domain and asked me if I can build a DC in the DMZ, my jaw hit the floor. At first, I suggested that they just open the ports for the server to communicate from the DMZ to the private network and target just the servers that it needed access to, while restricting everything else. At first I thought that was a bad idea....

Going back and forth with the resident security guy that doesn't know a thing about AD design and securing AD, I resigned to building a new forest in the DMZ and then creating a one-way trust with the private forest on the private network. (DMZ domain trusts the private domain) so that we can leverage private domain security principles on the DMZ domain resources (SharePoint), without compromising the integrity of the private domain.
 
Any thoughts on this?


__________________
MwR
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.
ActiveDirSec.Org -> Active Directory Trust and Domain Controller Security -> Cloud AD forest in the DMZ
Post to Facebook Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me