I am designing an Active Directory with multiple domains. At this point I am trying to decide if our DMZ should be in a separate forest or in a separate domain. I recognize that some of this discussion is based on opinion, there are pluses and minuses to both approaches. The main focus is Securing the inside from the DMZ which will live on the internet with broad firewall rules. This is a new forest and will be Server 2008R2 functional, there are no legacy resources. There is also no email services in the environment.
The requirements are listed below in order of importance.
- Protect the inside network
- Provide Single Sign on (tests show this works fine in both cases)
- Provide maximum flexibility for differing security models. (End users do crazy things)
- Minimize complexity (I know this argues for single forest and contradicts #3)
I am leaning towards single forest, any one to argue the alternative?