I need to set up a member server in the DMZ that will be running a SQL server and a SFTP server.
There will be local accounts on the member server for the customers that are dropping off / picking up files off the SFTP server, but the customer wants the employee accounts on the server to be authenticated back to the windows domain they are running - because the (l)users are too dumb to remember two different accounts and/or passwords.
I know a DC in a DMZ is not smart so I started looking at a RODC, but you have to turn the NAT'ed connection between the office network that has the DC and the DMZ into swiss cheese to get it to work. Will AD-LDS work where I can put the member server into the domain and accomplish my goals and maintain security? The server is already a member of the domain and they already have the SQL server running using domain accounts.