none
Handle multiple companies with AD?

    Question

  • Hi!

    Seen some threads about this already but I want to discuss this with my conditions, because I often get very different answers depending on the setup.

    How should I handle multiple companies in an Active Directory solution? 

    We're hosting 10 separate companies servers, they are pretty small och varies between 5-10 per servers customer. Each customer have between 1-100 users. Our goal is to have all servers joined in an AD-domain for easier management for our admins.

    So what options do we have,

    • Single forest with one domain?
    • Single forest with multiple domains/child domains?
    • Mutiple forest with trust relationships. (Use 'Selective authentication' for our admins)

    The biggest questions is of course the security, since a forest is a security boundary. Can a good OU-structure, policies and ACL's be an option? Every customer does of course have an isolated network between them.

    If Microsoft would measure our quantity of AD-objects it's an really small enviroment, I dont know if this should be calculated in on our decision but I thinks it's very ineffective to use ten different forests for this size?

    Today we have one forest with an single domain which one customers is joined to. So would really appreciate some guidance how we should proceed our work to join all servers to an AD-domain.

    For your information, were using SCCM in the domain.

    Thank you!






    Tuesday, January 10, 2017 3:39 PM

Answers

  • I always recommend to keep it as simple as possible => 1 forest with 1 domain. You can use different OUs for the companies you have and apply different ACLs on the OU level for the delegation of administration. 

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, January 10, 2017 11:50 PM
  • > Can a good OU-structure, policies and ACL's be an option? Every customer does of course have an isolated network between them.
     
    As Mr. X pointed out: OU structure and ACLs are sufficient. We run a multi tenant environment for more than 400 customers this way. Do some research about "List Object Mode" though :-)
     
    Wednesday, January 11, 2017 12:31 PM
  • You can use a custom UPN suffix on the OU if you want to log with different  domain name and have the feeling of different domain

    Wednesday, January 11, 2017 3:39 PM

All replies

  • I always recommend to keep it as simple as possible => 1 forest with 1 domain. You can use different OUs for the companies you have and apply different ACLs on the OU level for the delegation of administration. 

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, January 10, 2017 11:50 PM
  • > Can a good OU-structure, policies and ACL's be an option? Every customer does of course have an isolated network between them.
     
    As Mr. X pointed out: OU structure and ACLs are sufficient. We run a multi tenant environment for more than 400 customers this way. Do some research about "List Object Mode" though :-)
     
    Wednesday, January 11, 2017 12:31 PM
  • Thanks for answering!

    My idea was like you said split customers in to seperate OUs and restrict them with ACL.

    Every customers users wont be member to any builtin group or for example domain users to avoid to much permissions in the domain.

    Some other aspects about the security?

    Wednesday, January 11, 2017 12:45 PM
  • > As Mr. X pointed out: OU structure and ACLs are sufficient. We run a multi tenant environment for more than 400 customers this way. Do some research about "List Object Mode" though :-)

    Thank you, will do some research about "list object mode".  :-)

    Wednesday, January 11, 2017 2:45 PM
  • You can use a custom UPN suffix on the OU if you want to log with different  domain name and have the feeling of different domain

    Wednesday, January 11, 2017 3:39 PM