What's the most secure way to connect to Active Directory from a DMZ?

Question

I got a web DMZ server, that hosts an "Extranet" ASP.NET application. I want that users should authenticate to this application using the same user and password that they use on their Windows at work. (we are using Active Directory)

I want to know what the best way is -the most secure way - to connect from the DMZ web server to the Active Directory.

For now I saw two possibilities:
- RODC
- LDAP Over SSL (LDAPS)

Are there any other option you recommend? What other options should I consider? Any limitation, or potential problems with any of those solution?

Answer 1

It exist a Microsoft document talking about that :

Active Directory Domain Services in the Perimeter Network (Windows Server 2008)

You can also take inspiration from Microsoft consideration on installing an Exchange Front-end computer into a DMZ

Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server