afaik in order for AD authentication to work on the webserver, the webserver needs to be part of the domain

DNN Blog | Twitter: @erikvb | LinkedIn:

Well...  BY FAR, the simplest approach for this is to have the server (IIS) that is running DNN to be part of the domain.  If it is part of the domain, all of the instructions for how to get it working apply and it is a very simple procedure to get it working properly.

But...  That does not mean it is the only way.  If you look at how DNN works, the AD authentication is actually handled by IIS itself.  DNN itself is running under the NETWORK SERVICE account, and when authentication is needed it redirects you to the WindowsSignIn.aspx file, which is the only file that requires AD authentication to access (hence the authentication).   This is also one of the purposes behind the Impersonation setting in the web.config file, but that has not been fully explored/explained yet.

So... This leaves you wide open to use a variety of third-party utilities, or if you really know your Windows Server stuff, you can modify your existing server so that IIS is actually authenticating to a domain that the server itself is not a member of.   How to actually do it, I could not tell you, but I know it can be done.  Keep in mind that it is not going to be a simple process, and it is a configuration that nobody here will be able to help you with, so you'll be pretty much on your own (although we can give you pointers on what to look for).

Overall, it's better just to make it part of the domain, and then everything is much more secure and simpler.