Forum Discussion
shocko
Sep 05, 2023Steel Contributor
Active directory - Setup ideas for non-prd/tets domains
We currently have a single production ADDS domain and forest named myorg.prod. We also maintain a completely separate domain/forest named myorg.dev where we do all non-prod testing of applications/integrations GPO changes etc.
As our estate has sprawled to cloud and other platforms we find this limiting as we need to maintain separate identities for our production and test users i.e. when a user logs into a Dev/Test workstation or application they use a Dev/Test user account as opposed to their production one.
For us it would make sense that users could use their production identity across the Dev/Test domains as we control the prod identity lifecycle tightly and have excellent SOC/SIEM controls around it.
So I am wondering what this might look like? The requirements would be something like this:
- Users can use their identity from myorg.prod ADDS to sign-in into non-prod domains (servers/workstations RDP logons and file Shares etc.)
- GPO from prod domain can be applied to workstations/servers in non-prod domain
Would the non-prod domain be a new domain in the prod forest, sub-domain of prod or a separate domain/forest with trusts?
- swake457Copper Contributor
I’ve implemented both methods several times over the years. Often there are other considerations that may sway the solution one way or the other. You mention strong SOC/SIEM controls, which is always a big plus. A number of other factors come to mind.
- how large will non prod be? How many users? And at what frequency will the environment be accessed? I’m assuming some form of RDP/jump/bastion access methods will be used.
- will this NP be permanent, or in support of a finite project? (In these cases I typically prefer to use a separate forest/domain & trust setup as it doesn’t need as much cleanup for the prod domain)
- is Azure AD involved?
- will NP need to support other dependent services? SQL, SharePoint, SMTP, others, etc
If you plan to automate much of this (strongly recommended) via request processes, group membership, JIT/PAM tools I tend to lean towards a separate forest. Also helps minimize traversal attacks as hackers often look to exploit lower environments hoping to escalate to production.
At the end of the day, there’s no real right or wrong way. Just the way that works best for your needs.