We currently have the following environment (hosted on server 2003 and terminals servers on 2008 R2) and we need to upgrade this to their 2012 versions. We will create a new environment from scratch.
Domain controllers
- DC01
- DC02
File server
- File01
Exchange server
- Exchange01
Terminal servers
- TS_ClientA
- TS_ClientB
- TS_ClientC
Each client has their own OU within our AD and using denies (ADSIedit) they can't see each other in Exchange and neither as normal objects (like for folder permissions).
We don't want to use these tricks again and rather have a well thought out active directory design.
Now, I have googled on this, but it doesn't seem this is possible (atleast, natively). We still need to use adsiedit and do tricks to get a multi tenant environment. Regarding Exchange, we thought about using Office 365 for the clients.
I'd like to know if I misunderstood something or if there's anything I'm missing to create a multi tenant 2012 R2 environment.
Best Answer
The default permissions in Active Directory aren't setup for a multi-tennant environment. You're going to have to make modifications to the stock permissions to accomplish what you're looking for. That's just the nature of the product's design.
If you can get away from a single AD forest and move to multiple account forests without trust relationships between each other (which, arguably, the Windows Server 2012 Datacenter license helps enable) you'll have to do far less "hacking" AD permissions since forests are the atomic security boundary. You would maintain resource forest(s) with one-way intransitive trust relationships to the account forests in this type of scenario.