Hello, I am inquiring about best practices and advice on how to properly deliver an ERP system to multiple organizations.
These organizations use the same ERP system; employees access the ERP application via Windows Terminal Services and the ERP system uses MS SQL Server databases. These organizations have pooled their resources to build a new infrastructure of networking devices , servers, and storage systems that will be placed in a Datacenter to support the ERP system. The current ERP system will me migrated from the current environment to the new infrastructure in a Datacenter.
The current ERP system lives on one of the member organization's on-premise datacenter, with a MS SQL 2005 Database, and accessed via Windows Server 2008 RDS. The hosting organization is running a Windows Server 2008 Domain/Forest environment and has a mix of Forest and External trusts with the other member organizations. Each organization has its own terminal severs located at the hosting organization's datacenter. The employees from those organizations connect to their terminal servers to access the ERP system. The ERP system is housed in one database cluster for member organizations.
This setup has worked adequately for the past several years. With the ERP migration we want to make sure we setup the most available, secure and efficient design to deliver the ERP system to all member organizations.
The new infrastructure will be a Windows Server 2008 Domain/Forest, with each organization's ERP system running in its own MS SQL Server 2008 database. Each organization will have their own terminal server farm to access their ERP system. All organizations will have a IP VPN connection via MPLS service to the new infrastructure in the Datacenter.
There are 3 designs we are considering , first is the same method of Domain Trusts. We can create a root domain in the new Windows Domain and setup forest trusts with all member organizations.
The second design was no Domain Trusts, and setting up only a root domain in the new infrastructure and providing all member organizations users with an AD account from the root domain to access their designated terminal servers to access their ERP system. The user total for all organizations is around 1000 users. This method would create a huge management overhead for the administrators of the root domain, but it would centralize management of the whole windows environment and at that keep the systems more secure.
The third method was to create sub-domains from the root domain, one for each member organization. This would allow the local IT staff from each member organization to manage their users and no domain trusts would be required. The option will bring a level of domain complexity and management for the administrations of the Windows Domain/Forest.
I have attached a diagram of all 3 methods to help describe the AD designs.
I am looking for expert insight and advice on the recommendations for the AD Design that would best fit our needs to delivery an ERP system, but also follows best practices.