Active  Directory Design for Live and Development Environments

Posted on 2013-10-23
Last Modified: 2013-11-12

I'm seeking advice on the design of a small Win2K8 network with some specific requirements.

I need to establish a development network that mirrors a live production network.  Requirements are:
1. The machines in the dev segment must use the same computer names as their live counterpart.  ( and is fine)
2. Administration needs to be centralized - one set of user accounts to access both networks (RSA keys are used).  I also want one centralized way to back up the servers, push updates and virus signatures to both networks.  
3. Systems in the live and dev networks should not see each other.  
4. Both networks need to be on the same IP subnet (VLANS can be used).  There is a gateway machine on this subnet that connects directly to the client for data delivery.

I believe what I want to do is create an AD forest, comprised of one parent domain for user accounts/administration, etc and two sub domains for the live and dev networks.  (sort of a hub and spoke config).  

I'm not sure how to accomplish this - does each domain require it's own domain controller or can the live and dev subnets just use RODC's of the parent?  Is there a problem having machines with the same name in this config?  How do I establish trusts so that the parent can see the subs but the subs don't see each other?  Can these networks reside on the same IP subnet?

I welcome your suggestions.
Question by:dclab
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 39595274
If you create them in the same forest then they have to see each other, a forest shares certain naming context/partitions (the schema and configuration partitions).    You will have to create two separate forests if you want them apart.

How many machines are on the network?


LVL 53

Accepted Solution

Will Szymkowski earned 300 total points
ID: 39595335
Answers are below...

1. When you create your Prod/Live Domain you can export all Users and Computer and re-create them using powershell into the Dev Domain, this can be done with powershell.

2. Having a Single Forest with Multiple domains will give you 1 account to manage both domains (Enterprise Admin Group). However, you will not be able to push Updates/GPO to both domains "centrally". Domains only apply with in the respective domain and do not inherit policies or updates to child domains.

3. When you create a Forest with child domain, they will in fact see each other because they are under the same Forest Root domain and they have a 2 way transative trust by default. Cannot be changed (this is by design)

4. You can have the 2 network on the same logical IP scheme without any issues. Just beware this will make it difficult assigning IP's to new servers if you are not good at subnetting (not easily identifyable).

So basically to rephraze from the above statements you can do some of what you are looking for but not everything.

Your best bet (based on your requirements above) is to create 2 totally different Forests 1 root domain per forest live.local and dev.local. Create all of your computer/users accounts in Live.local, use powershell to collect all of the Computers and Users and export to a csv file, create new users and computers in dev.local forest using the exported list (all object will have same naming convention). You can use the same network segment/subnet.

Either way with a single forest or 2 forests you are going to have to manage both domains so if you want complete isolation you need to create 2 forests and go from there.

LVL 24

Assisted Solution

Sandeshdubey earned 100 total points
ID: 39595523
In parent child domain only configuration,schema & Probably Some applications partitions is replicated.Replication between domains is for the schema to replicated from the root domain to the child domains so that they use the same object definitions.You cannot break the communication between the domain.The best deal is to create two seperate forest.You can have two different forest in the same network.
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.


Author Comment

ID: 39595696
Thank you all for the responses.

Currently there are around 30 machines on the live network, around 10 for the dev network.  I've had these two networks running independently of one another (separate ip subnets, routing rules, etc.)  Technically there is also third copy of 5 systems for sandbox purposes but it's not under change control.  

That said I should clarify my statement regarding the machines of each domain seeing each other.  The machines on each domain can be 'aware' of each other, but I need to ensure that content from one network doesn't cross into another.  With duplicate machine names I wanted  to just avoid end user confusion.
From what you describe a single forest might still work, as long as one set of users could be used across all networks.  I understand that group policies could not be pushed across multiple domains and that's ok.  These networks are not permitted public internet access so a central internal resource for machines to get Windows updates and antivirus signatures is the goal.
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 300 total points
ID: 39595881
Both ways will work, I still personally think it should be 2 separate forests but you can make that choice. If you are planning to use something like wsus to push out update this will not work for multiple domains as you need to use gpo's to get this working, as for antivirus I do not know. You may be limited based on the product you use for AV management.


Author Closing Comment

ID: 39643441
Thanks to all who made suggestions.  Tried to split points to all involved.  
Hard to 'grade' the answers as this was more of a brain-storming question.  All provided useful tips.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question