Active Directory in a DMZ

The Active Directory team at Microsoft has released a guide with best practices for running AD in a DMZ.

Active Directory Domain Services in the Perimeter Network (Windows Server 2008)

The guide covers the following AD models for the perimeter network:

  • No Active Directory (local accounts)
  • Isolated forest model
  • Extended corporate forest model
  • Forest trust model

This guide contains direction for determining whether Active Directory Domain Services (AD DS) is appropriate for your perimeter network (also known as the DMZs or extranets), the various models for deploying AD DS in perimeter networks, and planning and deployment information for Read Only Domain Controllers (RODCs) in the perimeter network. Because RODCs provide new capabilities for perimeter networks, most of the content in this guide describes how to plan for and deploy this new Windows Server 2008 feature. However, the other Active Directory models introduced in this guide are also viable solutions for your perimeter network.


You can create a separate AD for the DMZ and really lock down the domain controllers in the DMZ. That way you have two spots to maintain accounts, and you can take it a step further by establishing a trust so that you can log into your DMZ AD with your internal AD accounts.