Windows LDAP server for DMZ and external server - how to do this securely?

ftenkley used Ask the Experts™
We have several sites in our DMZ and an external that I would like to authenticate to our AD. I'm considering to use a read-only domaincontroller for this. My question is:

Would the following scenario be a safe and sound setup, or is it better to do this otherwise? By using, for example, Active Directory Federation Services?

My current idea is to publish a RO-DC, located in the LAN, to both the DMZ and the external host with TMG. Of course, encryption would be used for communication between all systems.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


Thanks for the reply araberuni, however, these articles describe how you can create and connect a DC in the DMZ itself while my idea only lets clients connect to a DC in the LAN (thus you'll only have to open 389 TCP and UDP).

If I would place a DC in the DMZ I would need to open the following ports:

Kerberos—TCP 88, UDP 88
DNS—TCP 53, UDP 53
LDAP—TCP 389, UDP 389
LDAP over SSL—TCP 636
SMB over IP—TCP 445, UDP 445

This seems less secure to me? In this case, the DMZ almost becomes a part of the LAN (imho).

Network Engineer
What I have done is place RODCs in my DMZs, and yes, that requires a lot of ports to be open between my DMZ RODCs and my full DCs. My DMZ isn't the wild west, so anything in there is still pretty well secured against attack. I have domain member servers in my DMZ. The advantage of RODC is that someone can't use it to write to AD if it was compromised.

If you only need LDAPS (TCP 636), having a RODC for that seems like a good plan, and you could reasonably put that on the inside of your network.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

I reckon this technet article will provide you more information and detailed configuration of RODC in DMZ


I'm surprised that you're actually placing RO DC's in the DMZ because a compromised computer there could use the open ports to the LAN DC, but it seems that this construction is not uncommon.

I still think that the LAN based RO-DC as a safer alternative, but I'll do some more research. Thanks.


I'd like to have a link to a MS document about DC-RO placement considerations as well.
kevinhsiehNetwork Engineer

I used this document to decide on RODC in DMZ vs a forest trust. I needed DC capability for machines in DMZ, which isn't your needs, so you have different options. I would say that a compromized RODC in a DMZ is less of an issue than a compromized RODC in your LAN. What is in your DMZ would determine whether or not a RODC in the DMZ is likely to be compromized to begin with.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial