[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Active  Directory Design for Live and Development Environments

Posted on 2013-10-23
Medium Priority
Last Modified: 2013-11-12

I'm seeking advice on the design of a small Win2K8 network with some specific requirements.

I need to establish a development network that mirrors a live production network.  Requirements are:
1. The machines in the dev segment must use the same computer names as their live counterpart.  (server1.live.local and server1.dev.local is fine)
2. Administration needs to be centralized - one set of user accounts to access both networks (RSA keys are used).  I also want one centralized way to back up the servers, push updates and virus signatures to both networks.  
3. Systems in the live and dev networks should not see each other.  
4. Both networks need to be on the same IP subnet (VLANS can be used).  There is a gateway machine on this subnet that connects directly to the client for data delivery.

I believe what I want to do is create an AD forest, comprised of one parent domain for user accounts/administration, etc and two sub domains for the live and dev networks.  (sort of a hub and spoke config).  

I'm not sure how to accomplish this - does each domain require it's own domain controller or can the live and dev subnets just use RODC's of the parent?  Is there a problem having machines with the same name in this config?  How do I establish trusts so that the parent can see the subs but the subs don't see each other?  Can these networks reside on the same IP subnet?

I welcome your suggestions.
Question by:dclab
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 300 total points
ID: 39595274
If you create them in the same forest then they have to see each other, a forest shares certain naming context/partitions (the schema and configuration partitions).    You will have to create two separate forests if you want them apart.

How many machines are on the network?


LVL 53

Accepted Solution

Will Szymkowski earned 900 total points
ID: 39595335
Answers are below...

1. When you create your Prod/Live Domain you can export all Users and Computer and re-create them using powershell into the Dev Domain, this can be done with powershell.

2. Having a Single Forest with Multiple domains will give you 1 account to manage both domains (Enterprise Admin Group). However, you will not be able to push Updates/GPO to both domains "centrally". Domains only apply with in the respective domain and do not inherit policies or updates to child domains.

3. When you create a Forest with child domain, they will in fact see each other because they are under the same Forest Root domain and they have a 2 way transative trust by default. Cannot be changed (this is by design)

4. You can have the 2 network on the same logical IP scheme without any issues. Just beware this will make it difficult assigning IP's to new servers if you are not good at subnetting (not easily identifyable).

So basically to rephraze from the above statements you can do some of what you are looking for but not everything.

Your best bet (based on your requirements above) is to create 2 totally different Forests 1 root domain per forest live.local and dev.local. Create all of your computer/users accounts in Live.local, use powershell to collect all of the Computers and Users and export to a csv file, create new users and computers in dev.local forest using the exported list (all object will have same naming convention). You can use the same network segment/subnet.

Either way with a single forest or 2 forests you are going to have to manage both domains so if you want complete isolation you need to create 2 forests and go from there.

LVL 24

Assisted Solution

Sandeshdubey earned 300 total points
ID: 39595523
In parent child domain only configuration,schema & Probably Some applications partitions is replicated.Replication between domains is for the schema to replicated from the root domain to the child domains so that they use the same object definitions.You cannot break the communication between the domain.The best deal is to create two seperate forest.You can have two different forest in the same network.
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf


Author Comment

ID: 39595696
Thank you all for the responses.

Currently there are around 30 machines on the live network, around 10 for the dev network.  I've had these two networks running independently of one another (separate ip subnets, routing rules, etc.)  Technically there is also third copy of 5 systems for sandbox purposes but it's not under change control.  

That said I should clarify my statement regarding the machines of each domain seeing each other.  The machines on each domain can be 'aware' of each other, but I need to ensure that content from one network doesn't cross into another.  With duplicate machine names I wanted  to just avoid end user confusion.
From what you describe a single forest might still work, as long as one set of users could be used across all networks.  I understand that group policies could not be pushed across multiple domains and that's ok.  These networks are not permitted public internet access so a central internal resource for machines to get Windows updates and antivirus signatures is the goal.
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 900 total points
ID: 39595881
Both ways will work, I still personally think it should be 2 separate forests but you can make that choice. If you are planning to use something like wsus to push out update this will not work for multiple domains as you need to use gpo's to get this working, as for antivirus I do not know. You may be limited based on the product you use for AV management.


Author Closing Comment

ID: 39643441
Thanks to all who made suggestions.  Tried to split points to all involved.  
Hard to 'grade' the answers as this was more of a brain-storming question.  All provided useful tips.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question