Forum Discussion
Large-scale VDI deployment management with Active Directory and domains
Hello I am working for a start up and deployed RDS persitent VDI for just one enterprise which works perfectly. Now office wants to offer Persitent VDI to multiple company. I don't have muc...
Thank you so much for your response. I really appreciate your feedback.
We are a Startup data center targeting Mid-size organization from 5-50 users to mostly external companies.
1. We want to provide VDI, M365, Mail, Onedrive, Azure backup, Azure Storage, Lighthouse and all Microsoft services through our Account.
2. VDI's will be hosted at our data center as each organization have different requirement viz, accounting, designing, drafting, documenting, high graphics, etc
3. We want each organization to be separate, but controlled by our domain.
4. There can be more than 300 organization with 5-50 users under each organization.
5. Customer Billing will be done, under our company, as we are providing different services to different organizations.
6. We will have our own AD, DNS, DCHP for on premises IT infrastructure.
7. We plan to sync AD to Azure AD via AD Connect.
8. Important concern is, 'AAA' organization shouldn't be able to communicate with 'BBB' organization.
Neither, organization should be able to see / view organization under our domain. e.g aaa.aaa.com shouldn't be able to communicate / view bbb.aaa.com or ccc.aaa.com... can this be done by GPO or ?
9. Should we consider sub-domain topology or any other is suggested ?
I look forward to your feedback
Best Regards
We are a Startup data center targeting Mid-size organization from 5-50 users to mostly external companies.
1. We want to provide VDI, M365, Mail, Onedrive, Azure backup, Azure Storage, Lighthouse and all Microsoft services through our Account.
2. VDI's will be hosted at our data center as each organization have different requirement viz, accounting, designing, drafting, documenting, high graphics, etc
3. We want each organization to be separate, but controlled by our domain.
4. There can be more than 300 organization with 5-50 users under each organization.
5. Customer Billing will be done, under our company, as we are providing different services to different organizations.
6. We will have our own AD, DNS, DCHP for on premises IT infrastructure.
7. We plan to sync AD to Azure AD via AD Connect.
8. Important concern is, 'AAA' organization shouldn't be able to communicate with 'BBB' organization.
Neither, organization should be able to see / view organization under our domain. e.g aaa.aaa.com shouldn't be able to communicate / view bbb.aaa.com or ccc.aaa.com... can this be done by GPO or ?
9. Should we consider sub-domain topology or any other is suggested ?
I look forward to your feedback
Best Regards
If you want to be an MSP for external companies, then I would suggest putting more effort into automation so that you can:
- Deploy/configure a standard Active Directory structure for each customer with its own DNS/DHCP and Azure AD Connect for that customer with only access to the internet and their own environment (isolation)
- Automate the creation of networks
- Automate provisioning of accounts
- Automate the creation of the VDI environment (Deployment, configuration, and scaling)
- Have a good ticket system and self-service portal
The main goal should be, in my opinion, that you can service customers with standardization and automation but that they can leave you at any point keeping their own users and 365/Azure environment. Customers want an exit strategy too 🙂 Don't try to host multiple customers in one 365/Azure environment, too complex for external customers. Sharepoint, Exchange Online, and Teams are difficult to separate, and what if they want to use Endpoint Manager for example? A lot of deployment profiles, settings, and risks of changing the wrong things for the wrong customer.
- Deploy/configure a standard Active Directory structure for each customer with its own DNS/DHCP and Azure AD Connect for that customer with only access to the internet and their own environment (isolation)
- Automate the creation of networks
- Automate provisioning of accounts
- Automate the creation of the VDI environment (Deployment, configuration, and scaling)
- Have a good ticket system and self-service portal
The main goal should be, in my opinion, that you can service customers with standardization and automation but that they can leave you at any point keeping their own users and 365/Azure environment. Customers want an exit strategy too 🙂 Don't try to host multiple customers in one 365/Azure environment, too complex for external customers. Sharepoint, Exchange Online, and Teams are difficult to separate, and what if they want to use Endpoint Manager for example? A lot of deployment profiles, settings, and risks of changing the wrong things for the wrong customer.
- The Company intend to provision all these services on-premises and not Azure.. We are considering Azure perhaps next year but currently all deployment and configuration will be on-premises.
Currently I have deployed a persistent VDI for 10 users with a single domain.
Now we intend to offer services in large scale thereby all login for each companies will be via main domain, security still seems to be my major concern as i will like to isolate each company from one another.
The thought of using multiple OU doesn't seems feasible to me, why i want to know how should the deployment be for On-premises.
Parent Domain with Child Domain or Multiple domain. ?
Thank you- Multiple ou's can be done... 🙂 ... but hardening them, to make sure users,groups arent visible when using ldap 😛 that's another piece of the pie 🙂 ..
Yes we have it all secured but it took about 10 years to be an expert in it- This what i am currently trying to fix. Will you recommend i go with multiple OU per enterprise rather than Multiple domains?
Then will have to secure an expert for Hardening so they aren't visible.
