Forum Discussion

ossniper's avatar
ossniper
Copper Contributor
Aug 18, 2022

Large-scale VDI deployment management with Active Directory and domains

Hello   I am working for a start up and deployed RDS persitent VDI for just one enterprise which works perfectly.   Now office wants to offer Persitent VDI to multiple company. I don't have muc...
Active Directory
Domain
Hyper-V
R Services
RDS
VDI
Windows Server
Harm_Veenstra's avatar
Harm_Veenstra
MVP
Aug 22, 2022
So you want to be a provider for internal or external companies? If external, if you want to be a hosting provider, then separate everything network and Active Directory wise... If internal, then one Forest and preferably one domain with separated computers/groups/users in OU's. Multiple domains are old-fashioned with having the ability to delegate control and have different password policies if needed.

And you're also talking about Teams, are you providing Teams in one 365 tenant or multiple?

You mention a few things and without knowing the bigger picture, it's hard to give an answer...
  • ossniper's avatar
    ossniper
    Copper Contributor
    Aug 22, 2022
    Thank you so much for your response. I really appreciate your feedback.

    We are a Startup data center targeting Mid-size organization from 5-50 users to mostly external companies.

    1. We want to provide VDI, M365, Mail, Onedrive, Azure backup, Azure Storage, Lighthouse and all Microsoft services through our Account.

    2. VDI's will be hosted at our data center as each organization have different requirement viz, accounting, designing, drafting, documenting, high graphics, etc

    3. We want each organization to be separate, but controlled by our domain.

    4. There can be more than 300 organization with 5-50 users under each organization.

    5. Customer Billing will be done, under our company, as we are providing different services to different organizations.

    6. We will have our own AD, DNS, DCHP for on premises IT infrastructure.

    7. We plan to sync AD to Azure AD via AD Connect.

    8. Important concern is, 'AAA' organization shouldn't be able to communicate with 'BBB' organization.
    Neither, organization should be able to see / view organization under our domain. e.g aaa.aaa.com shouldn't be able to communicate / view bbb.aaa.com or ccc.aaa.com... can this be done by GPO or ?

    9. Should we consider sub-domain topology or any other is suggested ?

    I look forward to your feedback

    Best Regards
    • Harm_Veenstra's avatar
      Harm_Veenstra
      MVP
      Aug 22, 2022
      If you want to be an MSP for external companies, then I would suggest putting more effort into automation so that you can:
      - Deploy/configure a standard Active Directory structure for each customer with its own DNS/DHCP and Azure AD Connect for that customer with only access to the internet and their own environment (isolation)
      - Automate the creation of networks
      - Automate provisioning of accounts
      - Automate the creation of the VDI environment (Deployment, configuration, and scaling)
      - Have a good ticket system and self-service portal

      The main goal should be, in my opinion, that you can service customers with standardization and automation but that they can leave you at any point keeping their own users and 365/Azure environment. Customers want an exit strategy too 🙂 Don't try to host multiple customers in one 365/Azure environment, too complex for external customers. Sharepoint, Exchange Online, and Teams are difficult to separate, and what if they want to use Endpoint Manager for example? A lot of deployment profiles, settings, and risks of changing the wrong things for the wrong customer.
      • ossniper's avatar
        ossniper
        Copper Contributor
        Aug 22, 2022
        The Company intend to provision all these services on-premises and not Azure.. We are considering Azure perhaps next year but currently all deployment and configuration will be on-premises.

        Currently I have deployed a persistent VDI for 10 users with a single domain.
        Now we intend to offer services in large scale thereby all login for each companies will be via main domain, security still seems to be my major concern as i will like to isolate each company from one another.

        The thought of using multiple OU doesn't seems feasible to me, why i want to know how should the deployment be for On-premises.

        Parent Domain with Child Domain or Multiple domain. ?

        Thank you
    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP
      Aug 22, 2022
      Hi... Let me join this wonderful conversation... as I am/was responsible for the multi tenant active directory my company has.

      Setting this all up is 1 thing.... but hardening it is 2, automating it is 3, and having it properly licenced is 4 and 5 (you need SPLA... SPLA --> no azure ad connect for you 🙂 or you need to become a csp partner.... ) and having it tested for security issues is 6 🙂 , keeping it all backuped up (offline,online,replication) is 7...

      My advice when looking back.. 😛 hire someone that could tell you where to begin...

Resources