What I am trying to do is quite complex, so I figured I'd throw it out to a wider audience to see if anyone can find a flaw. What I am trying to do (as an MSP/VAR) is design a solution that will give multiple companies a session based remote desktop (companies that need to be kept completely seperate), using only a handful of servers. This is how I imagine it at the moment:
- CORE SERVER - Server 2012 Datacentre (All below are HyperV servers)
Server1: Cloud-DC01 (Active Directory Domain Services for mycloud.local)
Server2: Cloud-EX01 (Exchange Server 2010 running multi tenant mode)
Server3: Cloud-SG01 (Remote Desktop Gateway) - CORE SERVER 2 - Server 2012 Datacentre (All below are HyperV servers)
Server1: Cloud-DC02 (Active Directory Domain Services for mycloud.local)
Server2: Cloud-TS01 (Remote Desktop Session Host for Company A)
Server3: Cloud-TS02 (Remote Desktop Session Host for Company B)
Server4: Cloud-TS03 (Remote Desktop Session Host for Company C)
What I thought about doing was setting up each Organisation in their own OU (perhaps creating their OU structure based on the Excahnge 2010 tenant OU structure so the accounts are linked). Each company would get a Remote Desktop Session Host server that would also serve as a file server. This server would be seperated from the rest on its own range. The server Cloud-SG01 would have access to all these networks and route the traffic to the appropriate network when a client connects and authenticated so they are pushed onto the correct server (Based on session collections in 2012).
I won't lie this is something I have come up with quite quickly so there may well be something gapingly obvious that I am missing. Any feedback would be appreciated.
This is very similar to what we do. We have a single TS Gateway that all our clients enter through. This has connection and resource policies that control which user groups can log on to which servers.
Each company has their own self-contained terminal server. Most companies can only log on to the one TS, but for one particularly large client, they have two. We don't do any clustering of them, just half the users connect to TS1 and the other half connect to TS2.
All the servers sit on the same network segment, and we have very strict ACLs to define who can go where on the network (i.e. nobody can really go anywhere). Our GPO for the RDS servers also greatly restricts where they can go on the server itself.
The biggest issue that we have with this setup is the automated deployment of servers for new clients. Most of the process can be automated (we use ESXi and vSphere, which has powershell integration. Same as Hyper-V does), but I haven't yet found out how to automate the modification of TS Gateway policies.
We also have one very large client who uses our hosted terminal servers. Because I didn't want to bother with managing all their password resets and new accounts myself, we gave them delegation rights over their own OU on the domain. When they started to out-grow that, for political reasons, we gave them their own domain under our forest. That's all worked pretty well so far as well, except you can't use the
User must change their password on next logonas this is incompatible with TS Gateway. Same deal when their password expires, they can't log on and someone needs to reset their password manually.