AD in the DMZ

["Jeffrey Gorton" <jpgorton () swbell net>]

I am aware of an internet-facing web application that is running on
Microsoft SharePoint and using an Active Directory forest (that resides in a
separate firewalled network segment) for user authentication.  There is also
a one-way trust relationship with the AD forest on the internal network (the
DMZ AD trusts the internal AD) so that internal users can access DMZ
resources.  There is a firewall between the two AD forests, but the LDAP and
necessary Windows ports are open.

An Internet user authenticates with a DMZ AD account.  An internal user
authenticates into the internal AD and then accesses DMZ resources (the DMZ
AD contacts the internal AD for authentication).

It seems to me that, if the SharePoint server is compromised, the attacker
will be able to enumerate users on the internal AD.  Is this so?  What are
the problems with this design?

Thanks.