Forum Discussion
Active directory - Setup ideas for non-prd/tets domains
I’ve implemented both methods several times over the years. Often there are other considerations that may sway the solution one way or the other. You mention strong SOC/SIEM controls, which is always a big plus. A number of other factors come to mind.
- how large will non prod be? How many users? And at what frequency will the environment be accessed? I’m assuming some form of RDP/jump/bastion access methods will be used.
- will this NP be permanent, or in support of a finite project? (In these cases I typically prefer to use a separate forest/domain & trust setup as it doesn’t need as much cleanup for the prod domain)
- is Azure AD involved?
- will NP need to support other dependent services? SQL, SharePoint, SMTP, others, etc
If you plan to automate much of this (strongly recommended) via request processes, group membership, JIT/PAM tools I tend to lean towards a separate forest. Also helps minimize traversal attacks as hackers often look to exploit lower environments hoping to escalate to production.
At the end of the day, there’s no real right or wrong way. Just the way that works best for your needs.