Hi guys,
We are 2008r2 forest and domain levels. We do have ADFS setup and would normally try to use it for this kind of stuff, but we are wanting to do business with a vendor that wants to do external secure LDAP. We would have to put in a firewall rule to keep us from exposing our AD to the internet, and we would also have to put a DC out in our DMZ. I am guessing we could make it an RODC. We would have to give them an account to query with, with a passwd that does not change. I am thinking that and we could probably limit exposure by using the "Log On To" tab to only include the DMZ DC, and we could probably deny interactive logins. We would also have to get them a certificate(not sure if we would use internal and have them trust it, or go with a public one. You can probably tell I am not a big fan of this, but I have never done it before and am not sure how often large corporations really go down this road. I guess it can work fine, but any suggestions or opinions on this from a security perspective would be appreciated.
Thanks,
Dan
Dan Heim