I am a network guy (Cisco) so I am a bit out of my comfort zone with this one.
My client is in the process of implementing Oracle IAM and want to establish a test environment and I have been assigned the responibility to design a possible solution. They have previously tried to stage a test environment in the production environment but had a few mishaps doing this. They now want to instead create a child domain or a completely seperate domain to do this. They want to do this because they require to write to the AD and to exchange servers to test, as well as checking IAM integration. Also they don't want the GL from the Test Exchange server users to be seen by production users. I know there is an option to hide the users from exchange but there are hundreds of users so this will be too much work to get done and is not an option unfortunately.
AD in the test environment must be able to write to an AD in the production environment (but not affect the actual AD in the production environment). I do not think this is possible unless there is a tick-box to deny replication to other AD in the domain.
I am thinking that a completely seperate domain needs to be established. But then I am uncertain if this will affect the existing domain since they will be using the same network hardware (routers, switches, firewalls, internet connection...etc.)
The environment consists of mainly Windows Server 2008 and some Windows server 2003, Exchange 2010.
Any insight into how this can be done would be very helpful.