multi tenant active directory design

Dear Experts.

I am currently at a Managed IT Services Company.
Currently they have a totally separated AD/Network for each customer and internal environments (UAT, DEV, Prod).
This makes it VERY hard to manage as you have to RDP on to that server to get on to another server.
Same for the different internal environments, to me UAT testing is irrelevant as the ADs are so out of date with the production, you cant take in to account the way AD is on the testing.

We may have a chance to greenfields the whole thing. What would be the best way to architecture it.
Single domain forest with child domains.
Single AD with each managed company having its own OU
Different domains with trust relationships setup
Different domains with trust for the company's, then internal one domain with subdomains for the different environments with one way AD replication. that way Dev people cant affect GPOs for prod

To me a picture is worth a thousand words. So any input with diagrams would be great
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if the AD is for your apps just for authentication purposes then i would go for Single AD with each managed company having its own OU but that depends on the customers environments as well. if there are big customizations to customers AD you need to count in with your apps then you need a similar and separated AD for that customer.
trusts between domains would create administrative overhead and child domains would make your future AD operations more difficult
jackoltdAuthor Commented:
The only apps we use that really require AD is Sharepoint, XenApp/XenDesktop and Exchange.
With regards to Exchange, they are all separated, would it be better to have one exchange environment in conjuntion with a single domain
"they are all separated" - who?
regarding the exchange you have not mentioned any needs and concerns yet

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jackoltdAuthor Commented:
Doesnt matter now, they have decided to keep it all separated
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.