ADDS or LDAP server, over SSL, for remote password resets?

My organization is looking to employ an outside third-party in assisting with password resets for our organization after hours.
Their requirement is to have remote access over the internet to our AD to reset passwords accordingly.
We have a single forest, with 2 domains.
I am wondering, would it be best to spin up a 2012 R2 Domain Controller and also make it a global catalog, and then provide that company our Root Certificate and the self-signed certificate of the Domain Controller, so that they can remote to it with their software?

Or is it better to make a new 2012 server that runs LDAP and setup remote access with the cert?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Allow the question: Hire others just for doing password resets? Wouldn't it be cheaper to deploy a self service software that does that?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garryshapeAuthor Commented:
I don't know, I'm not director of IT
Will SzymkowskiSenior Solution ArchitectCommented:
I would also agree with McKnife in it would be much easier to setup a self service password reset for your users. This would be cost savings and also no addtional configuraiton. You would just need to do End User Training.

Some SelfService Password Reset Programs below...

NervePoint (free)


ManageEngine Password Reset

However, if you need to setup these external users then the best approach would be to set them up with a VPN connection where they would have access to a workstation or member server that has RSAT installed and only providing them with Reset Permissions on specific OU's where users reside.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

garryshapeAuthor Commented:
Yeah for some reason a VPN connection is not being provided with that kind of an access to accommodate them per the request of directors on both sides, I'm not sure why.
The premise for this over a self-service is that people may or may not always have access to the self-service and they want a person they can speak to over the phone.
While I myself cannot think of a common scenario to justify that, it is what it is sometimes.

It's some BlackBoard student services they use something called ServiceDesk or Service Desk...
Will SzymkowskiSenior Solution ArchitectCommented:
I dunno, personally this seems like a make work project. You have a couple of simple solutions for this. There is no need to setup another DC with cert etc etc..

garryshapeAuthor Commented:
Accepting solutions as viable barring any organizational approval issues.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.