All OCS Edge servers have been designed to have no dependency on membership of an AD Domain. Therefore OCS edge servers can be run either as servers in a workgroup, or as members of a domain.
Edge server deployment guide recommends :
“Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation and keeps the Active Directory® Domain Services out of the perimeter network. Locating Active Directory in the perimeter network can present a significant security risk.”
This follows the ‘Best practice’ not to join servers in a perimeter network to an internal domain or forest. On the other hand the traditional rigid model of a tightly cordoned DMZ is being replaced by a per server or service risk analysis that leads to a security implementation that is specifically tailored to that server and the risks associated with an outage or other type of intrusion.
Note that the service accounts and administrative that are used on the OCS Edge servers are intended to be machine local accounts, and that that will further reducing the chance of intrusion.
Advantaged and disadvantages: When considering membership of the internal xxx.contoso.com domains a number of benefits and disadvantages are:
Some advantages of Members servers in a perimeter zone
- Limited local SAM database on each servers
- Less password maintenance
- Generally leads to better passwords and better password maintenance
- only a few accounts with very long very complex passwords can be used.
(as they will not be used during normal operation.)
- Patch management can be done via same mechanisms as other internal servers
This is a very limited advantage as generally speaking Perimeter servers , including OCS Edge servers should be under a different update regime or policy than internal servers
- Smart-card logon for server management is possible.