Kahit na ito ay hindi literal na totoo, bilang isang praktikal na bagay, isang internet na nakaharap sa web front end sa isang DMZ ay dapat na nasa isang domain (i.e. hindi ilang mga standalone server sa sarili nitong maliit na workgroup). It doesn’t need to be in the same domain as the internal WFE(s) at iba pang mga server (at marahil hindi dapat), but it needs to be a domain.
My colleagues and I spent an inordinate amount of time on a proposal which included SharePoint pre-requisites. This included a comprehensive list of firewall configurations that would enable the DMZ server to join the farm and so forth. Sadly, we failed to add a sentence somewhere that said, to the effect, "the whole bloody point of this configuration is to allow your DMZ WFE server, in a domain, to join the internal farm."
A perfect storm of events, where we basically looked left when we might have looked right, conspired to hide this problem from us until fairly late in the process, thus preventing me from invoking my "tell bad news early" rule.
Sigh.
