multi tenant active directory design

Posted on 2014-08-03
Last Modified: 2014-09-28
Dear Experts.

I am currently at a Managed IT Services Company.
Currently they have a totally separated AD/Network for each customer and internal environments (UAT, DEV, Prod).
This makes it VERY hard to manage as you have to RDP on to that server to get on to another server.
Same for the different internal environments, to me UAT testing is irrelevant as the ADs are so out of date with the production, you cant take in to account the way AD is on the testing.

We may have a chance to greenfields the whole thing. What would be the best way to architecture it.
Single domain forest with child domains.
Single AD with each managed company having its own OU
Different domains with trust relationships setup
Different domains with trust for the company's, then internal one domain with subdomains for the different environments with one way AD replication. that way Dev people cant affect GPOs for prod

To me a picture is worth a thousand words. So any input with diagrams would be great
Question by:jackoltd
    LVL 14

    Assisted Solution

    if the AD is for your apps just for authentication purposes then i would go for Single AD with each managed company having its own OU but that depends on the customers environments as well. if there are big customizations to customers AD you need to count in with your apps then you need a similar and separated AD for that customer.
    trusts between domains would create administrative overhead and child domains would make your future AD operations more difficult

    Assisted Solution

    The only apps we use that really require AD is Sharepoint, XenApp/XenDesktop and Exchange.
    With regards to Exchange, they are all separated, would it be better to have one exchange environment in conjuntion with a single domain
    LVL 14

    Accepted Solution

    "they are all separated" - who?
    regarding the exchange you have not mentioned any needs and concerns yet

    Author Closing Comment

    Doesnt matter now, they have decided to keep it all separated

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now