Should a domain controller be placed within the DMZ?

When creating an Active Directory network, is it necessary to place domain controllers in the DMZ? Network security expert Mike Chapple explains.

I'm designing a new Active Directory network for my company. Do you recommend placing a domain controller within...

the DMZ?

Generally speaking, it's not a great idea to place domain controllers within the DMZ.

As you're probably aware, the primary advantage of a DMZ is that it provides a neutral ground, typically for services that must be accessed by both internal and external users. The compromise of a system within the DMZ will not jeopardize the security of systems located within the secure internal network.

Domain controllers, by their nature, are some of the most highly valued assets within the organization. These are the servers that control access to the resources on a Windows network, including the Active Directory database. If an attacker is able to compromise a domain controller, he or she essentially owns the entire Windows infrastructure. Therefore, given the immense importance of keeping it protected, I don't recommend placing a domain controller within a DMZ.

The most common solution that I've seen out there is to build the DMZ servers as standalone servers. If Active Directory authentication is required to allow internal users privileged access to those servers, use LDAP authentication back to the domain controller on the internal network. If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ and then using a one-way trust mechanism that permits systems in the DMZ to trust user accounts within the internal forest.

More on this topic

  • What are the best practices for passwords in Active Directory? Identity management pro Joel Dubin explains.
  • build a solid DMZ with advice from expert Mike Chapple.

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing