Solved

Creating a test environment of our production environment

Posted on 2013-10-31
3
1,027 Views
Last Modified: 2013-12-16
Hi guys,
I hope you are all well and can assist.

We have a single forest as follows:

test.net
a.test.net

Our goal is to create a test environment by snapshotting some of our domain controllers in each of our 2 domains in production, and use these snapshots to create this test AD.

So, the plan was to do the following:

1) In each domain:

test.net (snapshot 2 domain controllers here)
a.test.net (snapshot 2 domain controllers here)

For example purposes, lets say this prod environment is on vlan1, while the test environment is on vlan2

2) We go to the test vlan (2), register the snapshot files, and create vms from them to bring up the test environment.

So on this vlan2, we now have

test.net
a.test.net

Basically, a mirror of production on a separate vlan.

PROBLEM:

Systems on the production vlan need to be able to access the vlan2.

That means we have to enable access from vlan1 to vlan2.

But, as the domain controllers snapped have the same names on both vlans, my question is as follows:

How do you guys get around the situation where you want to have a test environment, which closely resembles production eg.same dc names etc, but where there are systems on the production network that need access to this test environment?

We have a PKI infrastructure, and this needs to be in the test environment also, and believe this is difficult to change the names.

Im looking for help on what you guys do to ensure that:
- there is no conflict between your test and prod environment when for example, it is difficult if not impossible, or unreaslistic to:
- expect to always isolate or move systems existing on your prod network that need access to your test, to be moved on to the test network.

We don't want to snapshot our production domain controllers and other critical systems, only then having to rename all these systems in the test vlan, every time we want to mirror production. If that is what you guys do, or have to do, Id love to know.

Any help greatly appreciated.

Thanks guys in advance.
0
Comment
Question by:Simon336697
  • 2
3 Comments
 
LVL 10

Accepted Solution

by:
jmanishbabu earned 500 total points
ID: 39613643
The domain controller will seem to function and work with clients, but it will actually have stopped replicating with all other domain controllers, because it has detected that it has been copied. The result is an inconsistent domain with client records not being updated, they will slowly stop working depending on what domain controller they get in contact with, until everything goes dead. If you have then virtualized ALL domain controllers, You will be left with 1-3 months of changes going down the tube together with your damaged Domain Controllers. Don't forget to take a full backup of at least 1 Domain Controller before starting your cloning!

st of You might get problems, but no event log entries – aarrggh try and detect that!
If a Domain Controller replicates data after being cloned, it will acknowledge what information it has replicated to the other Domain Controllers. In effect they know what the cloned Domain Controller knows. If the Cloned machine is then turned on, with older information, the other Domain Controllers will refuse to give it the information – after all they know it has allready gotten it! This will create a missing gap of information potentially creating big problems. It is usually refered to as USN Rollback and is a common symptom of a Hot Clone or a Domain Controller that was cloned but the original got Turned On after the cloning. More info here http://support.microsoft.com/kb/875495/
If a Domain Controller detects disk signature changes, it will put it self in isolation and refuse replication. Basicly it has detected it has been copied and to avoid replicating wrong information to others it isolates it self. It still keeps on running and serving users, but since it can not replicate, it does not replicate important information like password changes, machine information, etc.
Microsoft does not support cloning of Domain Controllers – your on your own!
VMware does not support cloning of Domain Controllers – your still on your own!

VMware have more pain and death information about cloning an existing domain controller here http://kb.vmware.com/kb/1006996
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39613702
Hi jmanishbabu,

Thanks for your post.

Im still none the wiser however on what an alternative better solution would be.
0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 39723101
Thank you and sorry for the delay.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now