I was wondering if anyone can shed a little light on an issue (not even sure if I could call it an issue) that I am having understanding AD LDS / AD DS / Authentication. I think it might be easier to say what I want to accomplish and then leave it open for comments.
I have an Active Directory for my internal network. I have been asked by our web development group if they could have their web servers in the DMZ be 'protected' by our internal Active Directory Domain Services. They want to be able to have their external pages ask for credentials and allow the users to use their internal Active Directory usernames/passwords.
We have tried putting a read only domain controller in the DMZ for authentication, but I was never able to get the server joined/promoted to our internal AD. From what our networking guys have told me, our DMZ is double 'NATed' which adds an extra level of complexity to domain services from the DMZ back into our internal network.
I then started looking into putting an AD LDS server in our DMZ and using it as an authentication point for our web apps. I was under the impression that this had the ability to connect to our AD controllers on the inside and provide basic authentication to clients/services in the DMZ. Everything I have found about setting up the LDS server shows the basic setup of configuring a LDS instance and replicas and I have not had any problem setting that up. I just feel like I am missing the part where the LDS instance 'connects' to the internal AD domain. I don't feel like I have a full understanding of what exactly I am supposed to do with the LDS server!
Thank you in advance for any assistance.
Bookmarks