I have asked this question before but I just need to make absolutely sure that I am taking the "best route".
We have a couples of servers running apps. Another company wants to take contractual ownership / support of these servers and I need to work out the best way of giving this organisation admin access to these servers. The problem is that these servers have to stay on our network (i.e. our physical network) and they are both in OUR domain (forest) at the moment.
The options I was considering were as follows:
a) disjoin both member servers from our domain and put them into a workgroup + remove our local admin account and enable remote desktop access to the other company on both boxes (with a local admin account that they can use) - job done - we would lose access and they would gain it, right ?
b) keep both servers in our domain - but create a new OU in our AD and move both computer accounts into this OU. Then delegate control of this OU (and the objects within it) to the other organisation.
Which option sounds best ? If we go for B) then isn't there a risk that the other company would be able to access our domain ? Which option is the "cleanest" and adheres to MS "best practise" ?
Thanks experts, as always :-)