Posted on 2009-04-21
Last Modified: 2013-12-23
I am setting up a new TS in a DMZ. This server will run all required TS services.
I am also considering using a web based password reset utility, so the DC will need to be writable. The DC will only be used for authenticating the TS machine; in fact, the TS and DC will be the only machines on the domain. The secure network will contain other servers and sensitive data. Placing the DC into this DMZ makes the most sense to me, but using RADIUS / LDAP to traverse the firewall might also be an option.

Should I place the DC into the DMZ, or place it in the secure zone? Is there a MS best practice document describing this setup? I haven't found one.
Question by:timbrigham
    LVL 12

    Expert Comment

    Generally for security reasons you do not want a DC in a DMZ.  I would recommend against it. If I find a good article I will post it.  
    LVL 12

    Expert Comment

    LVL 12

    Accepted Solution

    LVL 14

    Assisted Solution

    With 2008 Terminal Server you can utilize the Terminal Server Gateway role.  The Gateway is placed in the DMZ and is used to facilitate authentication to AD located in a secure network.  I've not used it myself (we utilize Citrix), though the article below seems to give a pretty good overview.

    If you aren't using 2008 then I'd recommend looking at another product to handle this, such as Citrix using Access Gateways or Secure Gateway.  
    LVL 1

    Author Comment

    Thanks for your input.

    The second article appears to be the closest to my situation. It reaffirms what I've already seen; "If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ." This is exactly what I am suggesting. In our case, we do not have a preexisting AD environment in the secure network.

    My concern is the TS machine is low priority, used only for data entry to a local application. The secure network contains very sensitive information. If the DC is compromised while residing in the DMZ, the worst thing that will happen is disruption to the data entry procedure or gaining access to other people's data entry screens. If the DC is compromised on the secure network, sensitive data could be stolen. I would prefer a slightly higher risk of compromise if it guarantees the security of my high priority data.

    Ideally I would like to have three zones for the hardware firewall - one for TS, one for the secure network and one for the DC. Hardware constraints make this an impossibility. I think the next best thing is to place the DC into this DMZ.

    This document is one that I started with, which has been of much help.
    LVL 37

    Assisted Solution

    by:Bing CISM / CISSP
    have you ever considered using ADAM (AD Application Mode) with your TS in DMZ? in this approach, only the ADAM server needs to sit in the DMZ and sync only specific directory objects, which are required for TS, from the internal AD.


    Windows Server 2003 Active Directory Application Mode

    Introduction to Active Directory® to ADAM Synchronizer

    hope it helps,

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now