Should I enable domain authentication in my DMZ

1) Clearly not a good idea. That would mean that if a DMZ machine that is joined to the domain is compromised, then your corporate AD would be in danger, which isn't acceptable

The only option is to deploy a separate Active Directory forest for your DMZ, potentially with different zones; for example, the main writable domain controllers in an isolated network segment and read only domain controllers in the other segments, but in any case without a link to your corporate AD.

There's indeed a management/administrative overhead, but security wise you don't have many other options.


Use the "Selective Authentication" feature with a Master and Resource forest

The best idea, in my opinion, is to configure a separate forest in the DMZ and consider it a resource forest. That is, no user accounts in that forest (except for default users)

Then use a feature called Selective Authentication to allow only a pre-determined set of users to authenticate to that resource forest. This will limit the exposure of your internal AD forest, yet allow for centralized administration of the accounts.

Generally speaking, the financial cost of deploying a second forest, ( OS licenses, redundancy, backup and DR considerations, patch maintenance etc) would be better spent on adding multi-factor authentication to your primary account forest, or a subset of those users.


If your internal production AD is critical and contains sensitive systems, DATA etc, which would have a high business impact if compromised then you should consider a seperate forest. If a completely isolated "DMZ" forest is not practical or too costly to manage (high admin costs through account duplication and so on) you can consider a new "DMZ" forest connected with a one way trust, (DMZ Forest trusts the Internal "Production" forest. The DMZ forest should be implemented on the internal network with RODC's (if available with your version). DMZ devices can then authenticate through configured ports on your firewall to access the "DMZ" Forest RODC's only, allowing centralised management of DMZ devices. Production Forest Admins can use their Production accounts to administer DMZ devices across the trust. This is high level and may not suit all dmz requirements and assumes a basic requirement to centrally manage DMZ systems.