My goal is to integrate a public facing service with AD using LDAP.While I vouch for federated approach to user authentication, the business dictates LDAP.
We run a DMZ subnet and I insist on not punching any(punching as few as possible) holes towards LAN, however the microsoft way is mockery of the DMZ concept. Assuming the best strategy is to place a Read-Only Domain Controller into DMZ, their document lists a number of ports that need to be opened for RODC -> LAN (RO required ports).Our original plan was to put RODC into DMZ segment and target it with our LDAP connector from an application server.
Is there a known solution for one way replication of AD user subset towards DMZ RODC\other LDAP capable server, or a configuration for RODC that doesn't allow any connections towards writable DC?