Active Directory Test Environment – Best Practice

Posted on by

IT Support Forum Forums Active Directory General Discussion Active Directory Test Environment – Best Practice

Tagged: , ,

Viewing 0 reply threads
  • Author
    Posts
    • July 14, 2014 at 5:08 pm #455
      Webmaster
      Keymaster

      There is no official Microsoft recommended Best Practice for setting up an Active Directory test environment. That being said, here is the best practice for setting up an AD test environment:

      ITIL defines a best practice as the best way to do something for your organisation. Sources of best practice can be “standards, industry practices, academic research, training & education or internal experience”. Therefore the following is a list of practices for setting up an Active Directory test environment; I will leave you to choose which is the best 😉

      AD Test Environment Best Practice #1: Replica Environment

      If you have the resource, setting up an exact duplicate AD test environment is a great way to go. This way, you know that whatever you do in your test environment will behave exactly as the production environment.

      One way to set up a test replica test AD environment is to set up another VLAN or entirely seperated LAN and restore your environment into it. If you use virtualisation technologies, this can be simplified by setting up a VLAN and cloning AD servers and setting their NICs to be in the VLAN before powering on the servers.

      Pros of a replica AD test environment

      • You can be confident that your test environment matches your prod environment if you are replicating it each time you do a test
      • This is a good way to test your backups

      Cons of a replica AD test environment

      • Cost
      • Time taken to do a fresh clone each time you want to do a test
      • Multiple tests in the environment can be expensive if you are replicating the entire AD environment per test
      • If you aren’t replicating the entire AD environment per test, you run the risk that simultaneous tests may interfere with each other
      • If you aren’t replicating the environment per test, you run the risk that your test environment will drift and become different to the production AD environment

      AD Test Environment Best Practice #2: Partial Replica Environment

      As above, but you only replicate a single AD server and other servers as required.

      Pros of a partial replica AD test environment

      • You can be confident that your test environment matches your prod environment if you are replicating it each time you do a test
      • Takes less time to clone a few systems, rather than cloning all
      • Because it takes less time to replicate, it’s easier to do a fresh replica per test. This means your testing is more accurate and there’s less change of getting drift

      Cons of a partial replica AD test environment

      • Less costly, but still costs a bit in server resource.

      AD Test Environment Best Practice #3: Test OUs

      For some organisations, simply having test OUs in their production AD environment is the best practice because it’s cheap and easy. A separate OU location to test changes is quite sufficient.

      Pros of using OUs in the production environment

      • Price – no additional hardware required
      • Less administration required to maintain only one environment
      • Time taken to do testing is quicker because there is no pre-work required to set up an AD test environment

      Cons of using OUs in the production environment

      • Drift will be quite bad, so tests will be less accurate
      • Production may not be possible to make the same as test, because some test systems may be required and cannot therefore have the same names / IP addresses as production

      AD Test Environment Best Practice #4: Security Filtering

      This is how I like to do AD test environments. In my opinion, this should be best practice for most companies that have careful IT staff.

      You can use your production AD environment and production OUs to test GPOs. Simply set the GPO’s Security Filtering so that the Authenticated Users group is removed and add a test security group to the security filter.

      Pros of using Security Filtering in the production environment

      • Your test environment is always 100% the same as production
      • You can run multiple tests at once using different security groups on each GPO security filter with 100% confidence that 1 test won’t interfere with another test
      • Time – No pre-work to set up an AD test environment
      • Price – No additional cost to set up
      • Administration – No additional administration of two environments

      Cons of using Security Filtering in the production environment

      • If staff don’t ensure that they remove the Authenticated Users group before they make changes to the GPO, this will effect the production environment

      Additionally, some companies have variations on the above that they use as best practice, such as having a different domain name or setting up a sub-domain of their production domain to be used as a test environment. In any case, everyone would agree that best practice for setting up an AD test environment would be to ensure that it matches your production environment as closely as possible without running the risk of having tests occur in your production environment. Of course the flip side of that is the risk that a test would pass through the test environment and create a problem in your production environment, which is far more common. This is why I’m an advocate of using security filtering as a best practice for setting up an Active Directory test environment.

  • Author
    Posts
Viewing 0 reply threads
  • You must be logged in to reply to this topic.