Forum Discussion

shocko's avatar
shocko
Steel Contributor
Sep 05, 2023

Active directory - Setup ideas for non-prd/tets domains

We currently have a single production ADDS domain and forest named myorg.prod. We also maintain a completely separate domain/forest named myorg.dev where we do all non-prod testing of applications/in...
Active Directory
security
windows server
swake457's avatar
swake457
Copper Contributor
Sep 06, 2023

shocko 

 

I’ve implemented both methods several times over the years. Often there are other considerations that may sway the solution one way or the other. You mention strong SOC/SIEM controls, which is always a big plus. A number of other factors come to mind. 

- how large will non prod be? How many users? And at what frequency will the environment be accessed? I’m assuming some form of RDP/jump/bastion access methods will be used. 

-  will this NP be permanent, or in support of a finite project? (In these cases I typically prefer to use a separate forest/domain & trust setup as it doesn’t need as much cleanup for the prod domain)

- is Azure AD involved?

- will NP need to support other dependent services? SQL, SharePoint, SMTP, others, etc

 

If you plan to automate much of this (strongly recommended) via request processes, group membership, JIT/PAM tools I tend to lean towards a separate forest. Also helps minimize traversal attacks as hackers often look to exploit lower environments hoping to escalate to production. 

At the end of the day, there’s no real right or wrong way. Just the way that works best for your needs.