First off, I'm a newbie at AD; I know how to setup a basic domain, but that's it.
I'm running a hosting service for some Windows Applications. User permissions is based on Active Directory security groups.
Let's say I have Contoso.local as my Forest - the NetBIOS name is CONTOSO. I want to provide a SaaS where clients can sync their Active Directory users and/or groups to my AD while keeping their own NetBIOS name. For example, if I had a client who somewhere on the globe was named Acme and their forest domain was Acme.local and their NetBIOS name was ACME, then I would want John Doe to have the ability of logging into my SaaS as ACME\John.Doe instead of me having to manage all users for my clients and requiring John to login as CONTOSO\John.Doe. The idea here is white labeling.
Immediately, you're probably thinking AD FS, but my SaaS doesn't support Federated Services.
I could set up another domain controller on my network to replicate against my client, but that seems overkill. And, I don't know how to accomplish this.
Is there no way for my AD to simply sync and/or authenticate against another domain's users and groups? (I need groups too, because depending on the security role, a user has access to specific info.) Can I setup a Trust or LDS to accomplish this?
If so, or if not, please provide suggestions. Some how-to's would also be much appreciated!
Thanks, Joshua
I'm not sure I completely understood exactly what it is you are trying to do, but yes, Federation might have been an answer. Apart from federation, I suppose using forest trusts might be one way to accomplish the objective of letting users log in with their native domain\account names. Just an idea.