Active  Directory Design for Live and Development Environments

Posted on 2013-10-23
Last Modified: 2013-11-12

I'm seeking advice on the design of a small Win2K8 network with some specific requirements.

I need to establish a development network that mirrors a live production network.  Requirements are:
1. The machines in the dev segment must use the same computer names as their live counterpart.  ( and is fine)
2. Administration needs to be centralized - one set of user accounts to access both networks (RSA keys are used).  I also want one centralized way to back up the servers, push updates and virus signatures to both networks.  
3. Systems in the live and dev networks should not see each other.  
4. Both networks need to be on the same IP subnet (VLANS can be used).  There is a gateway machine on this subnet that connects directly to the client for data delivery.

I believe what I want to do is create an AD forest, comprised of one parent domain for user accounts/administration, etc and two sub domains for the live and dev networks.  (sort of a hub and spoke config).  

I'm not sure how to accomplish this - does each domain require it's own domain controller or can the live and dev subnets just use RODC's of the parent?  Is there a problem having machines with the same name in this config?  How do I establish trusts so that the parent can see the subs but the subs don't see each other?  Can these networks reside on the same IP subnet?

I welcome your suggestions.
Question by:dclab
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 39595274
If you create them in the same forest then they have to see each other, a forest shares certain naming context/partitions (the schema and configuration partitions).    You will have to create two separate forests if you want them apart.

How many machines are on the network?


LVL 53

Accepted Solution

Will Szymkowski earned 300 total points
ID: 39595335
Answers are below...

1. When you create your Prod/Live Domain you can export all Users and Computer and re-create them using powershell into the Dev Domain, this can be done with powershell.

2. Having a Single Forest with Multiple domains will give you 1 account to manage both domains (Enterprise Admin Group). However, you will not be able to push Updates/GPO to both domains "centrally". Domains only apply with in the respective domain and do not inherit policies or updates to child domains.

3. When you create a Forest with child domain, they will in fact see each other because they are under the same Forest Root domain and they have a 2 way transative trust by default. Cannot be changed (this is by design)

4. You can have the 2 network on the same logical IP scheme without any issues. Just beware this will make it difficult assigning IP's to new servers if you are not good at subnetting (not easily identifyable).

So basically to rephraze from the above statements you can do some of what you are looking for but not everything.

Your best bet (based on your requirements above) is to create 2 totally different Forests 1 root domain per forest live.local and dev.local. Create all of your computer/users accounts in Live.local, use powershell to collect all of the Computers and Users and export to a csv file, create new users and computers in dev.local forest using the exported list (all object will have same naming convention). You can use the same network segment/subnet.

Either way with a single forest or 2 forests you are going to have to manage both domains so if you want complete isolation you need to create 2 forests and go from there.

LVL 24

Assisted Solution

Sandeshdubey earned 100 total points
ID: 39595523
In parent child domain only configuration,schema & Probably Some applications partitions is replicated.Replication between domains is for the schema to replicated from the root domain to the child domains so that they use the same object definitions.You cannot break the communication between the domain.The best deal is to create two seperate forest.You can have two different forest in the same network.
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 39595696
Thank you all for the responses.

Currently there are around 30 machines on the live network, around 10 for the dev network.  I've had these two networks running independently of one another (separate ip subnets, routing rules, etc.)  Technically there is also third copy of 5 systems for sandbox purposes but it's not under change control.  

That said I should clarify my statement regarding the machines of each domain seeing each other.  The machines on each domain can be 'aware' of each other, but I need to ensure that content from one network doesn't cross into another.  With duplicate machine names I wanted  to just avoid end user confusion.
From what you describe a single forest might still work, as long as one set of users could be used across all networks.  I understand that group policies could not be pushed across multiple domains and that's ok.  These networks are not permitted public internet access so a central internal resource for machines to get Windows updates and antivirus signatures is the goal.
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 300 total points
ID: 39595881
Both ways will work, I still personally think it should be 2 separate forests but you can make that choice. If you are planning to use something like wsus to push out update this will not work for multiple domains as you need to use gpo's to get this working, as for antivirus I do not know. You may be limited based on the product you use for AV management.


Author Closing Comment

ID: 39643441
Thanks to all who made suggestions.  Tried to split points to all involved.  
Hard to 'grade' the answers as this was more of a brain-storming question.  All provided useful tips.

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question