How would you split production and lab environment

Question

Hi,

Today we have two local onsite domain controllers with domain.com and this is used for production and also for testing/lab.
We would like to separate the systems, so that we don`t mix these.

Not sure right how to do this, and also not sure how we plan this... so I am looking for examples, how is your production separated from a testing environment ?

For example
Do you have domain1 and domain2 and have a trust between ?
Do you have domain1 and domain2 and no connection between these two ?
Do you have production.domain.com and lab.domain.com ?
Do you have domain.com and only segemented it with vlanA=prod, vlanB=demo, vlanC=lab ….

Any other recommendations…

Thanks for reply.

Regards
Andreas

Answer 1

Hi,

It's recommended to separate test and production environment. to avoid any impact and risk on your production environment when you want test and validate a task or a product.

It's recommended to install the test environment in separate VLAN. The test and staging environment should not have a connection with production environment.
If you want build a test environment similar to production , you have two option:

1. backup one of the DC from production domain and restore it in test VLAN. Then you perform metadata cleaup to remove other DC and size FSMO role.
2. Create new forest and domain with same functional level and feature as the production envirement.

Please don't forget to mark this reply as answer if it help you

Answer 2

You could possibly do it but that's going to get somewhat complicated since you're now talking about moving all the existing from the root to a new subdomain named production.domain.com Something here may help with that effort.
https://www.starwindsoftware.com/blog/intraforest-migration-in-windows-server-2016-with-active-directory-migration-tool-admt-3-2

--please don't forget to Accept as answer if the reply is helpful--

Answer 3

There's probably a number of ways to configure this. My preference would be no connection between them being the safer option.

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

Hi,

Thanks for the replies.
As I understand a complete seperation is the best option.

But say I cannot have a complete seperation, how would you then solve it.
Could I for example create production.domain.com and lab.domain.com and have domain local groups for spesific users in each domain. And If a user needs to have access to both production and lab i can add this user to a universal group ?

Another question is if I add a computer then to the production.domain.com would I be able to use RDP from that machine to a machine in the lab.domain.com as long as the user is part of the universal group with correct login credentials ?

And how would ADUC look like then I have two subdomains ?

I have never tested this :)

Thanks for reply

/Regards
Andreeas

Answer 5

Hi,
I am glad to hear that your issue was successfully resolved.
If there is anything else we can do for you, please feel free to post in the forum.
Have a nice day!