My organization is looking to employ an outside third-party in assisting with password resets for our organization after hours.
Their requirement is to have remote access over the internet to our AD to reset passwords accordingly.
We have a single forest, with 2 domains.
I am wondering, would it be best to spin up a 2012 R2 Domain Controller and also make it a global catalog, and then provide that company our Root Certificate and the self-signed certificate of the Domain Controller, so that they can remote to it with their software?
Or is it better to make a new 2012 server that runs LDAP and setup remote access with the cert?