Best Pratice: AD DMZ

I am putting an AD server in our DMZ so a client can quarry the domain tree. They only need to be able to get user and group info. I was looking into AD LDS (used to be known as ADAM) to provide this functionality.

So my question is would this be a best practice for remote domain queries?
If so how to you keep an AD LDS in sync with AD all the time?
How do i setup AD LDS so it is only updated from the domain?
Who is Participating?
gs121Connect With a Mentor Commented:
At my company we opened the firewall to a specfic IP we trusted from the company we do business with..

But if you want to, you could install a Read Only DC in your DMZ.  I would also put it in a Active Directory " site" by itself.
Set up your firewalls corectly and leave it.  It will keep in sync with you other DCs, put no one would be able to make changes to the AD on it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.