Extended corporate forest model

The solution that has an extended corporate forest in the perimeter places domain controllers—ideally, read-only domain controllers (RODCs)—that belong to the corporate forest in the perimeter network. As shown in Figure 3, this model takes advantage of the benefits of a single forest while enabling the use of corporate identities in the perimeter network.

Figure 3 Extended corporate forest model

This model allows corporate identities to access resources in the perimeter network from both the Internet and the corporate network—if there is connectivity between the two networks—without requiring multiple identity stores (duplicating identities) or having to set up trust relationships between internal forest and perimeter forest for authentication.

Most of the directory information that is stored in the corporate Active Directory infrastructure is accessible to domain-joined computers or domain users in the perimeter network, as if they were accessing the directory on the internal network. This depends on the users being given appropriate permissions through access control lists (ACLs).

There are two variations of this model: One is to deploy writeable domain controllers from the corporate forest into the perimeter network. The second is to use RODCs. Because of the security and manageability benefits that are available with the RODC solution, this is the recommended model. However, if your current integrated application writes information to the directory, you might be blocked from using the new RODC role in the perimeter network. RODCs might also have application compatibility issues that require more planning and changes to your perimeter. More information about RODCs in the perimeter is provided later in this guide.