Solved

Active Directory Design for Mutitple Organizations

Posted on 2013-02-06
6
603 Views
Last Modified: 2013-04-02
Hello, I am inquiring about best practices and advice on how to properly deliver an ERP system to multiple organizations.  

These organizations use the same ERP system; employees access the ERP application via Windows Terminal Services and the ERP system uses MS SQL Server databases. These organizations have pooled their resources to build a new infrastructure of networking devices , servers, and storage systems that will be placed in a Datacenter to support the ERP system. The current ERP system will me migrated from the current environment to the new infrastructure in a Datacenter.  

The current ERP system lives on one of the member organization's on-premise datacenter, with a MS SQL 2005 Database, and accessed via Windows Server 2008 RDS. The hosting organization is running a Windows Server 2008 Domain/Forest environment and has a mix of Forest and External trusts with the  other member organizations. Each organization has its own terminal severs located at the hosting organization's datacenter. The employees from those organizations connect to their terminal servers to access the ERP system. The ERP system is housed in one database cluster for member organizations.
This setup has worked adequately for the past several years. With the ERP migration we want to make sure we setup the most available, secure and efficient design to deliver the ERP system to all member organizations.

The new infrastructure will be a Windows Server 2008 Domain/Forest, with each organization's ERP system running in its own MS SQL Server 2008 database.  Each organization will have their own terminal server farm to access their ERP system.  All organizations will have a IP VPN connection via MPLS service to the new infrastructure in the Datacenter.

There are 3 designs we are considering , first is the same method of Domain Trusts. We can create a root domain in the new Windows Domain and setup forest trusts with all member organizations.

The second design was no Domain Trusts, and setting up only a root domain in the new infrastructure  and providing all member organizations users with an AD account from the root domain to access their designated terminal servers to access their ERP system. The user  total for all organizations is around 1000 users. This method would create a huge management overhead for the administrators of the root domain, but it would centralize management of the whole windows environment and at that keep the systems more secure.

The third method was to create sub-domains from the root domain, one for each member organization. This would allow the local IT staff from each member organization to manage their users and no domain trusts would be required. The option will bring a level of domain complexity and management for the administrations of the Windows Domain/Forest.

I have attached a diagram of all 3 methods to help describe the AD designs.

I am looking for expert insight and advice on the recommendations for the AD Design that would best fit our needs to delivery an ERP system, but also follows best practices.
AD-Design-draft-2.pdf
0
Comment
Question by:ItSecurePro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 38862316
Is this to be a truly SaaS application?  Do the orgs have their own identities (accounts)?

 I guess what I'm getting at is:

Have you explored the possibility of using Federation with something like PING Identity to each organization?  This would let the org manage their own identity credentials/lifecycle and may also prevent intermingling of accounts and keep orgs truly separated.  Ping has an integration kit for Citrix that may help with the application access/presentation.

It seems that with the proposed designs you'd have to spend a lot of money on hardware/management of a bunch of new hardware and management of additional servers  (DCs) and account lifecycle that may be put to better use by using Federation.
0
 

Author Comment

by:ItSecurePro
ID: 38864217
Hello tmassa99,

Thank you for the input. That actually sounds like the best long-term solution. I read about Federation Services before, but I haven't been involved with this type of environment. The ERP system is windows based, but it is not a ASP.NET application. The ERP application can run as a fat client or thin client via remote desktop services. I don't believe this ERP is truly a SaaS application. All orgs. do have their own accounts.

The hardware (blade chassis and storage) and Windows licenses (OS and SQL) have already been purchased. We will be using a mixed virtualization environment of Hyper-V and VMware with high availability. We have plenty of resources to provision as many virtual servers as needed.

I'll have to do some research to verify if FS will work for our environment.
0
 

Author Comment

by:ItSecurePro
ID: 38864223
Would anyone else like to add some recommendations or suggestions?
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 

Author Comment

by:ItSecurePro
ID: 38865177
I verified with our ERP vendor and it does not provide a web based application. There are no plans for web based solution for at least another year. If I am not mistaken this rules out Windows Federation Services.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 38866527
Not necessarily, if you have Citrix (RDS) presenting the app, but that's just speculation on my part.  Let's say you look into that (Long-term)

There are a lot of security considerations/policies that I'm pretending you don't have just for a purely technical discussion.  A single domain is technically possible, but let's say you want to have some sort of isolation.  I don't know much about your ERP app, but if you can use a single service account, you can either secure OUs with AD permissions given to each instance.

There's also "List Object Mode" for AD that means that an account has to be granted specific permissions to see other "tenants" OUs.  http://msdn.microsoft.com/en-us/library/windows/desktop/ms675746(v=vs.85).aspx

No one really runs it this way, but I've been testing it for a while to evaluate multi-tenant application hosting.  It works fine as far as I can tell.  You can search the GC for all objects, but you can't bind to get any attributes.  You can probably acheive the same thing by removing "Authenticated Users" default permissions, but I didn't want to hack the domain.

The only reason not to use a single domain is if you wanted to isolate your "user" IDs from the application IDs.  In this case, you would have 2 single domain forests with a one-way trust from the "admin" forest (contains administrator and application service accounts) and the second forest would only contain application user IDs and servers.  The app users can't authenticate to your "admin" forest to compromise your accounts should something go awry.  You also won't have to have privileged accounts in the user domain.

[Edit]
I can't believe that I forgot Forefront Identity Manger (or any other Identity sync tool).  You may be able to sync accounts/passwords from the business to your domain so you don't have to manage user accounts, assuming you have network connectivity.
0
 

Author Closing Comment

by:ItSecurePro
ID: 39042849
This suggestion is a good starting point.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question