Keeping two active domains AD "syncronized" in a Prod/Lab scenario

Author

Comment

DerekO

Still Checking the Forum Out
Registered:1478648627
Posts: 2

Posted 1478649383	Reply with quote #1

So here is a use case I don't recall ever hearing of. Any suggestions would be greatly appreciated. My company wants to create a lab environment that is a "copy" of production. All well and good at the beginning. But immediately as time goes on the Production AD instance and the "Copy/Lab" AD instance begin to diverge as changes occur in each. We want all deployments to be built in a "QA" environment with no particular alignment to Prod. A sample environment lets say. Then we want to build the implementation plan and method of procedure to "introduce" it into the lab as the final checksum of working in the "bigger picture" BEFORE actually introducing it into production. As time goes on though, users and computers and groups and memberships and values will change. My question: Is there any way to "log" all changes to active directory (or select parts/actions) in a manner that one could review them, say "yes I want that change replicated in the lab" or "no, ignore that change" and then "replay" those changes in the lab so that lets say all new/changed users & groups in the last month get added to the Lab. And potentially from lab to prod. I tried talking to some AD auditing software companies and they said - nope, who'd want to do that. Any ideas?
0 0 0

cj_berlin

Senior Member
Registered:1451592353
Posts: 199

Posted 1478678847	Reply with quote #2

As far as AD users, groups and possibly Exchange go, I would expect that you can achieve this with FIM/MIM or some other Identity Management solution. Computers, I don't think so. Or SQL, or your LOB apps... But I agree that you don't see this done very often, if at all. What is usually being done instead, you clone Prod to Lab on a regular basis but as completely as is necessary. __________________ Evgenij Smirnov My personal blog (German): http://www.it-pro-berlin.de/ My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0 1 1

wkasdo

Administrator
Registered:1451582051
Posts: 183

Posted 1478679025 · Edited	Reply with quote #3

+1 Evgenij Aside from that, consider security and privacy. You will copy PII information and passwords to another environment. Is this secured in the same way? Do the same trusted people have access? Does this company have regulations to follow that might have a problem with this scenario (finance, healthcare, various GOVs?) __________________ [MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0 1 1

DerekO

Still Checking the Forum Out
Registered:1478648627
Posts: 2

Posted 1478720348	Reply with quote #4

@Evgenij - Yes, it is an unconventional approach. I will have to look into Identity Management a little deeper. I agree that "on a regular basis but as completely as is necessary" is likely to the be approach used but AD is pretty much all or nothing. To much re-replication can disrupt ongoing activities. Guess I'm just looking for the best way to keep as much consistency as possible over time with as little disruption to the operations. @wkasdo - Yes, luckily secured the same with the same people using the lab as they have in prod. Thankfully no legislative oversight or restrictive regulations. Thanks for sharing your thoughts. Derek
0 0 0

wobble_wobble

Associate Troublemaker Apprentice
Registered:1451575798
Posts: 781

Posted 1478730282	Reply with quote #5

I've used Veeam Sure Backup Jobs to restore 'jobs' and not shut them down after restore. I used it in an app development environment where we wanted to test IIS code, SQL code, App servers etc. At a point in time we'd either delete or push Sharepoint/ SQL or file data into the 'test labs' Veeam have some scripts to push some backups to dev/ test labs. But as said. These labs need to be hidden, no network conectivity etc. __________________ Have you tried turning it off and walking away? The next person can fix it! New to the forum? Read this
0 0 0

Previous Topic | Next Topic