My company manages a number of on-premises Windows Server environments for our customers. For the purpose of this question, these environments consist of a primary domain controller, secondary domain controller, and a WSUS. Each of these environments were created in isolation by other IT service providers, as such are in their own domain forests. See illustration below:
However, this isolated architecture that we have inherited creates a substantial overhead for helpdesk and on-site staff. We are contracted to provide on-site services, manage the customer’s updates (via WSUS), maintain the customer’s active directory policies (in order to reflect industry best practice), and carry out basic active directory administration.
What am I trying to achieve? In a word ‘cascade’, I want to define one set of active directory policies and then have them cascade down to the customer’s domains, I want help desk staff and technicians to be able to sign-on using a common active-directory account, I want to push updates from a common WSUS account.
To achieve the above, I could migrate them onto a common domain forest:
However, I want to maintain as looser coupling as possible. On a twelve monthly period, the customer could elect to migrate IT service providers - I would look to extricate them with minimal effort. Inversely, I want to be able to onboard new customers as quickly as possible with minimal impact to their environment. Therefore, I believe an approach based on forest trust relationships would be the best way forward:
What thoughts to people have on the above-proposed architecture? Are forest trust relationships the best way to achieve my aims?
