We currently have the following environment (hosted on server 2003 and terminals servers on 2008 R2) and we need to upgrade this to their 2012 versions. We will create a new environment from scratch.
Domain controllers
- DC01
- DC02
File server
- File01
Exchange server
- Exchange01
Terminal servers
- TS_ClientA
- TS_ClientB
- TS_ClientC
Each client has their own OU within our AD and using denies (ADSIedit) they can't see each other in Exchange and neither as normal objects (like for folder permissions).
We don't want to use these tricks again and rather have a well thought out active directory design.
Now, I have googled on this, but it doesn't seem this is possible (atleast, natively). We still need to use adsiedit and do tricks to get a multi tenant environment. Regarding Exchange, we thought about using Office 365 for the clients.
I'd like to know if I misunderstood something or if there's anything I'm missing to create a multi tenant 2012 R2 environment.
The default permissions in Active Directory aren't setup for a multi-tennant environment. You're going to have to make modifications to the stock permissions to accomplish what you're looking for. That's just the nature of the product's design.
If you can get away from a single AD forest and move to multiple account forests without trust relationships between each other (which, arguably, the Windows Server 2012 Datacenter license helps enable) you'll have to do far less "hacking" AD permissions since forests are the atomic security boundary. You would maintain resource forest(s) with one-way intransitive trust relationships to the account forests in this type of scenario.
While Evan is right in that you can't really do what you want to do without hacking up permission ACLs in ADSIEdit, I thought I would go ahead and mention an alternative approach that I've used to good effect in large production environments before:
You can achieve a multi-tenant design with Active Directory using List Object Mode. Read all about it here:
https://www.myotherpcisacloud.com/post/2013/05/20/Active-Directory-List-Object-Mode.aspx
List Object mode still counts as "hacking up permissions," but it's a hell of a lot cleaner than putting Deny ACEs on everything.
While you can't use your ADSIEdit method in Exchange Server 2010 or 2013 you can use the multitenant capability of Exchange Server 2010 or 2013. A far easier solution (and one that I've used with a client with similar needs) is to use Address Book Policies in Exchange Server 2010 or 2013 to provide the separation and isolation that you need.
http://technet.microsoft.com/en-us/library/hh529948(v=exchg.150).aspx