dclab
asked on
Active Directory Design for Live and Development Environments
Greetings,
I'm seeking advice on the design of a small Win2K8 network with some specific requirements.
I need to establish a development network that mirrors a live production network. Requirements are:
1. The machines in the dev segment must use the same computer names as their live counterpart. (server1.live.local and server1.dev.local is fine)
2. Administration needs to be centralized - one set of user accounts to access both networks (RSA keys are used). I also want one centralized way to back up the servers, push updates and virus signatures to both networks.
3. Systems in the live and dev networks should not see each other.
4. Both networks need to be on the same IP subnet (VLANS can be used). There is a gateway machine on this subnet that connects directly to the client for data delivery.
I believe what I want to do is create an AD forest, comprised of one parent domain for user accounts/administration, etc and two sub domains for the live and dev networks. (sort of a hub and spoke config).
I'm not sure how to accomplish this - does each domain require it's own domain controller or can the live and dev subnets just use RODC's of the parent? Is there a problem having machines with the same name in this config? How do I establish trusts so that the parent can see the subs but the subs don't see each other? Can these networks reside on the same IP subnet?
I welcome your suggestions.
I'm seeking advice on the design of a small Win2K8 network with some specific requirements.
I need to establish a development network that mirrors a live production network. Requirements are:
1. The machines in the dev segment must use the same computer names as their live counterpart. (server1.live.local and server1.dev.local is fine)
2. Administration needs to be centralized - one set of user accounts to access both networks (RSA keys are used). I also want one centralized way to back up the servers, push updates and virus signatures to both networks.
3. Systems in the live and dev networks should not see each other.
4. Both networks need to be on the same IP subnet (VLANS can be used). There is a gateway machine on this subnet that connects directly to the client for data delivery.
I believe what I want to do is create an AD forest, comprised of one parent domain for user accounts/administration, etc and two sub domains for the live and dev networks. (sort of a hub and spoke config).
I'm not sure how to accomplish this - does each domain require it's own domain controller or can the live and dev subnets just use RODC's of the parent? Is there a problem having machines with the same name in this config? How do I establish trusts so that the parent can see the subs but the subs don't see each other? Can these networks reside on the same IP subnet?
I welcome your suggestions.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to all who made suggestions. Tried to split points to all involved.
Hard to 'grade' the answers as this was more of a brain-storming question. All provided useful tips.
Hard to 'grade' the answers as this was more of a brain-storming question. All provided useful tips.
ASKER
Currently there are around 30 machines on the live network, around 10 for the dev network. I've had these two networks running independently of one another (separate ip subnets, routing rules, etc.) Technically there is also third copy of 5 systems for sandbox purposes but it's not under change control.
That said I should clarify my statement regarding the machines of each domain seeing each other. The machines on each domain can be 'aware' of each other, but I need to ensure that content from one network doesn't cross into another. With duplicate machine names I wanted to just avoid end user confusion.
From what you describe a single forest might still work, as long as one set of users could be used across all networks. I understand that group policies could not be pushed across multiple domains and that's ok. These networks are not permitted public internet access so a central internal resource for machines to get Windows updates and antivirus signatures is the goal.