Remote Desktop - Multiple Domains

Hi

I currently host multiple terminal servers, ranging from Server 2008 R2 to Server 2016 - I plan on upgrading them all to 2016 and then keeping them within two versions of the latest server OS.

Each customer gets their own terminal server ‘hosted desktop’ which all their users log on to. Some of these will have an active directory, some are a standalone RDS with local users only.

I would like to have a single forest, with each customer having their own domain. That way they only need one server of their own, but get all the features of active directory, which would allow me to configure an RD gateway which when they log in connects them to their own server. This would also allow them to login via the web rather than just an RDP file.

Can anyone think of any security implications of this? I wouldn’t want people to be able to see that any other domains exist and I would want them to be completely secure.

I can create multiple domains within a forest etc, but have never gone this far on such a scale.

I appreciate this is an open-ended question, but I would like to get expert opinions before I go and try it out, as I can then use that information to determine where and what to research.

Has anyone got any examples of similar things or any suggestions on what to research first?

To give you some background information,, we have rackspace in three datacentres, all linked via site-to-site VPN. Each customer is vLAN’d from each other currently, but I could set up routes to a central AD server.

Thanks!
Matt RichardsonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
I would like to have a single forest, with each customer having their own domain. That way they only need one server of their own, but get all the features of active directory, which would allow me to configure an RD gateway which when they log in connects them to their own server. This would also allow them to login via the web rather than just an RDP file. This means that the clients have to join the forest and create their own domain.. Easy for you hard for them.  Means moving all users, shares etc
Also they can't have any Enterprise Admins
Cliff GaliherCommented:
I am not seeing the benefit of the forest in this scenario. Standalone forests per customer is more secure.  When you look at the major hosting providers that do multitenancy securely, they don't monkey with it either. Good policy to follow.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RoninCommented:
You probably will need a full RDS deployment, including Gateway, Broker, Web and back-end Hosts.
In order to achieve what you looking for you would need:
1. Create a parent domain for your management environment where all the supporting infrastructure will be deployed. That would include AD, gateway and web, RRAS, etc
2. Create separate domain for each customer, which will trust your parent domain. Technically it's not required since your gateway should be able to find the customer's broker server based on DNS, however it will allow you to use automation (PS)more easily.
3. Deploy broker and host in client's domain.

A lot of useful information on Channel 9. Search for RDS, remote desktop.

Also don't forget about licensing.
 
Have a look at the following information: (I have used it intensely while building similar environment for a customer)

Azure desktop hosting - Reference architecture and deployment guides
https://technet.microsoft.com/en-us/library/mt404690(v=ws.11).aspx

Remote Desktop Services architecture
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture

RD Licensing Configuration on Windows Server 2012
http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx

Remote Desktop Services (RDS) Architecture Explained
http://blogs.technet.com/b/yungchou/archive/2010/01/04/remote-desktop-services-rds-architecture-explained.aspx

Step by Step Windows 2012 R2 Remote Desktop Services – Part 1
http://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/

RDS Gateway:
Deploying Remote Desktop Gateway Step-by-Step Guide
http://www.microsoft.com/en-ca/download/details.aspx?id=5177

Remote Desktop Gateway
http://technet.microsoft.com/en-us/library/dd560672(v=ws.10).aspx

Configuring the Remote Desktop Gateway Server
http://technet.microsoft.com/en-us/library/cc754191.aspx

RD Gateway - ports and certificates
http://social.technet.microsoft.com/Forums/windowsserver/en-US/a241a5be-e39d-4dfc-a513-e4f83c4dc906/rd-gateway-ports-and-certificates?forum=winserverTS

RDS 2012: Which ports are used during deployment?
https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx

RD Gateway 2012 Ports
http://www.rdsgurus.com/rds-resource/rd-gateway-2012-ports/

RD Gateway deployment in a perimeter network & Firewall rules
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

Improving TS Gateway availability using NLB
http://blogs.msdn.com/b/rds/archive/2009/03/24/improving-ts-gateway-availability-using-nlb.aspx

Create a Remote Desktop Gateway Server Farm
http://technet.microsoft.com/en-ca/library/cc732370.aspx

Step By Step – Using Windows Server 2012 R2 RD Gateway with Azure Multifactor Authentication
http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/

RDCB - Must be part of the domain

RD Connection Broker High Availability in Windows Server 2012
https://blogs.technet.microsoft.com/enterprisemobility/2012/06/27/rd-connection-broker-high-availability-in-windows-server-2012/

Remote Desktop Connection Broker
http://technet.microsoft.com/en-us/library/cc771419.aspx
Configuring HA for the Remote Desktop Connection Broker in a 2012 RDS Farm
http://thewolfblog.com/2014/02/02/configuring-ha-for-the-remote-desktop-connection-broker/

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide
http://technet.microsoft.com/en-us/library/ff686148(v=ws.10).aspx
Matt RichardsonAuthor Commented:
Sorry David, I mean if we migrate people already in our data centre. There are no shares, just local files.
David Johnson, CD, MVPOwnerCommented:
What you propose is not a good idea, leave things as they are. Don't forget that if you update the hosts then the licensing manager has to be updated AND new RDP CALs purchased
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.