I would not advise you to have the active directory on your DMZ. You can have any server on the DMZ but not the DC. You usually have the Domain controller on the inside network for two main reasons:
1- You never give access from outside to inside directly as it would be insecure... you place your DC on your inside because you don't give permission for anybody to access it from outside... On the other hand you don't have any problems letting people to access the mail server through the known ports (smtp, pop3...etc)... and this is why you place the mail server on the DMZ... in summary if the DMZ was hacked, there is another layer of security from the DMZ to the inside network.
2- You will have a problem with the non-routable protocols (e.g. netbios, and netbui) if the DC and the users are on different zone, therefore it is always advisable to have the DC on the same zone as the users...
I actually worked for an organization that did have it's domain controllers on a dmz. We had to do this as we were members of a large Active Directory forest that had members of other organizations. This allowed active directory access from the other sites without giving them access to our internal network.
This took a lot of work to configure and maintain. I would agree with Osama not to do this unless it is absolutely necessary.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...