We have several sites in our DMZ and an external that I would like to authenticate to our AD. I'm considering to use a read-only domaincontroller for this. My question is:
Would the following scenario be a safe and sound setup, or is it better to do this otherwise? By using, for example, Active Directory Federation Services?
My current idea is to publish a RO-DC, located in the LAN, to both the DMZ and the external host with TMG. Of course, encryption would be used for communication between all systems.