Active Directory Design for Live and Development Environments


I'm seeking advice on the design of a small Win2K8 network with some specific requirements.

I need to establish a development network that mirrors a live production network.  Requirements are:
1. The machines in the dev segment must use the same computer names as their live counterpart.  ( and is fine)
2. Administration needs to be centralized - one set of user accounts to access both networks (RSA keys are used).  I also want one centralized way to back up the servers, push updates and virus signatures to both networks.  
3. Systems in the live and dev networks should not see each other.  
4. Both networks need to be on the same IP subnet (VLANS can be used).  There is a gateway machine on this subnet that connects directly to the client for data delivery.

I believe what I want to do is create an AD forest, comprised of one parent domain for user accounts/administration, etc and two sub domains for the live and dev networks.  (sort of a hub and spoke config).  

I'm not sure how to accomplish this - does each domain require it's own domain controller or can the live and dev subnets just use RODC's of the parent?  Is there a problem having machines with the same name in this config?  How do I establish trusts so that the parent can see the subs but the subs don't see each other?  Can these networks reside on the same IP subnet?

I welcome your suggestions.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Answers are below...

1. When you create your Prod/Live Domain you can export all Users and Computer and re-create them using powershell into the Dev Domain, this can be done with powershell.

2. Having a Single Forest with Multiple domains will give you 1 account to manage both domains (Enterprise Admin Group). However, you will not be able to push Updates/GPO to both domains "centrally". Domains only apply with in the respective domain and do not inherit policies or updates to child domains.

3. When you create a Forest with child domain, they will in fact see each other because they are under the same Forest Root domain and they have a 2 way transative trust by default. Cannot be changed (this is by design)

4. You can have the 2 network on the same logical IP scheme without any issues. Just beware this will make it difficult assigning IP's to new servers if you are not good at subnetting (not easily identifyable).

So basically to rephraze from the above statements you can do some of what you are looking for but not everything.

Your best bet (based on your requirements above) is to create 2 totally different Forests 1 root domain per forest live.local and dev.local. Create all of your computer/users accounts in Live.local, use powershell to collect all of the Computers and Users and export to a csv file, create new users and computers in dev.local forest using the exported list (all object will have same naming convention). You can use the same network segment/subnet.

Either way with a single forest or 2 forests you are going to have to manage both domains so if you want complete isolation you need to create 2 forests and go from there.

Mike KlineConnect With a Mentor Commented:
If you create them in the same forest then they have to see each other, a forest shares certain naming context/partitions (the schema and configuration partitions).    You will have to create two separate forests if you want them apart.

How many machines are on the network?


SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
In parent child domain only configuration,schema & Probably Some applications partitions is replicated.Replication between domains is for the schema to replicated from the root domain to the child domains so that they use the same object definitions.You cannot break the communication between the domain.The best deal is to create two seperate forest.You can have two different forest in the same network.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

dclabAuthor Commented:
Thank you all for the responses.

Currently there are around 30 machines on the live network, around 10 for the dev network.  I've had these two networks running independently of one another (separate ip subnets, routing rules, etc.)  Technically there is also third copy of 5 systems for sandbox purposes but it's not under change control.  

That said I should clarify my statement regarding the machines of each domain seeing each other.  The machines on each domain can be 'aware' of each other, but I need to ensure that content from one network doesn't cross into another.  With duplicate machine names I wanted  to just avoid end user confusion.
From what you describe a single forest might still work, as long as one set of users could be used across all networks.  I understand that group policies could not be pushed across multiple domains and that's ok.  These networks are not permitted public internet access so a central internal resource for machines to get Windows updates and antivirus signatures is the goal.
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Both ways will work, I still personally think it should be 2 separate forests but you can make that choice. If you are planning to use something like wsus to push out update this will not work for multiple domains as you need to use gpo's to get this working, as for antivirus I do not know. You may be limited based on the product you use for AV management.

dclabAuthor Commented:
Thanks to all who made suggestions.  Tried to split points to all involved.  
Hard to 'grade' the answers as this was more of a brain-storming question.  All provided useful tips.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.