Active Directory Multi-Tenant

Hi am curious to know if anyone has designed an AD multi-tenant infrastructure and how they did it?  What are the best practices?  
Should it be one domain, one forest and multiple domains, multiple trusts, etc?  Is it a horrible idea?

We want to use this as a normal AD domain for all customers.  The goal is to make it easier to manage users, computers, DNS, etc, without needing to login to each domain separately.  However, obviously we need to keep security in mind.

Each customer, domain/ou or however it should be designed, will consist of users and computers / servers.
The infrastructure will need to support 100 domains, or customers.

Windows 2012 r2.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
AD was not designed for multi-tenancy and isn't well suited for it. Use automation tools like the azure pack (as an example) to help manage multiple discreet domains instead.
Will SzymkowskiSenior Solution ArchitectCommented:
However, obviously we need to keep security in mind.

There is really no way about security. Even if you create child domains all domains have transitivity between each other and will be able to authenticate etc. personally, i would have each domain completely separate using the Forest Root domain one for each. This is probably not what you are looking to hear but you cannot really segment the domains from each other if they are all under the Forest Root Domain.

David Johnson, CD, MVPOwnerCommented:
as mentioned above Azure pack and or SCVMM is what is required.
For instance we have several companies that directly compete with each other in the marketplace. They need to ensure that their information in our data centre is private and not shared with their competitors. They are paying for compute/disk/network resources with a service level agreement of 5 9's

SCVMM is a bear to setup initially but there is no way for company A using virtual network 192.168.1/24 to access or even know about company B using a virtual network 192.168.1/24 these virtual networks are totally isolated. As for configuration / service we use logmein rescue on the virtual machines exactly as we would with physical machines. We also replicate to azure just in case, belt and suspenders. i.e. a major power failure that affects Southern Ontario/Eastern US. There have been 3 major outages in my lifetime. Azure is normally in a powered off state
David Johnson, CD, MVPOwnerCommented:
The goal is to make it easier (unsaid for us) to manage users, computers, DNS, etc, without needing to login to each domain separately.  However, obviously we need to keep security in mind.

What you envision throws security out of the window.. you have to treat it as completely separate entities or you are throwing security out of the window with the bathwater.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.