I am running into some different and/or conflicting information regarding the best way to setup this environment which is pictured below. Here are some details:
1. Clients authenticate to the web application running on WEB using certificates and accounts stored in the DB, not AD accounts.
2. The web server, WEB, needs to be managed easily due to numerous GPOs. So it needs to talk to the domain/DC somehow. I have seen differing opinions here. Some suggest a 2nd domain with a one-way trust. Some suggest a workgroup. But those seem to fall under either extra management or no management.
3. The preferred method would be that web server, WEB, will only communicate through the F/W to the DB server on a specific port. Granted, I could say just allow WEB to communicate through the DMZ to the DC, but that doesn't seem as secure.
I have seen information regarding putting a RODC in the DMZ along with WEB. The RODC will communicate with the DCs in the Trusted LAN. The web server, WEB, will get everything it needs from the RODC. Does this seem to be the best approach?
Thank you for any input or guidance.