DerekO
Still Checking the Forum Out
Registered:1478648627 Posts: 2
Posted 1478649383
Reply with quote
#1
So here is a use case I don't recall ever hearing of. Any suggestions would be greatly appreciated. My company wants to create a lab environment that is a "copy" of production. All well and good at the beginning. But immediately as time goes on the Production AD instance and the "Copy/Lab" AD instance begin to diverge as changes occur in each. We want all deployments to be built in a "QA" environment with no particular alignment to Prod. A sample environment lets say. Then we want to build the implementation plan and method of procedure to "introduce" it into the lab as the final checksum of working in the "bigger picture" BEFORE actually introducing it into production. As time goes on though, users and computers and groups and memberships and values will change. My question: Is there any way to "log" all changes to active directory (or select parts/actions) in a manner that one could review them, say "yes I want that change replicated in the lab" or "no, ignore that change" and then "replay" those changes in the lab so that lets say all new/changed users & groups in the last month get added to the Lab. And potentially from lab to prod. I tried talking to some AD auditing software companies and they said - nope, who'd want to do that. Any ideas?
cj_berlin
Senior Member
Registered:1451592353 Posts: 268
Posted 1478678847
Reply with quote
#2
As far as AD users, groups and possibly Exchange go, I would expect that you can achieve this with FIM/MIM or some other Identity Management solution.
Computers, I don't think so. Or SQL, or your LOB apps...
But I agree that you don't see this done very often, if at all.
What is usually being done instead, you clone Prod to Lab on a regular basis but as completely as is necessary.
__________________ Evgenij Smirnov My personal blog (German): http://www.it-pro-berlin.de/ My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
wkasdo
Administrator
Registered:1451582051 Posts: 229
Posted 1478679025
· Edited
Reply with quote
#3
+1 Evgenij
Aside from that, consider security and privacy. You will copy PII information and passwords to another environment. Is this secured in the same way? Do the same trusted people have access? Does this company have regulations to follow that might have a problem with this scenario (finance, healthcare, various GOVs?)
__________________ [MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
DerekO
Still Checking the Forum Out
Registered:1478648627 Posts: 2
Posted 1478720348
Reply with quote
#4
@Evgenij - Yes, it is an unconventional approach. I will have to look into Identity Management a little deeper. I agree that "on a regular basis but as completely as is necessary" is likely to the be approach used but AD is pretty much all or nothing. To much re-replication can disrupt ongoing activities. Guess I'm just looking for the best way to keep as much consistency as possible over time with as little disruption to the operations. @wkasdo - Yes, luckily secured the same with the same people using the lab as they have in prod. Thankfully no legislative oversight or restrictive regulations. Thanks for sharing your thoughts. Derek
wobble_wobble
Associate Troublemaker Apprentice
Registered:1451575798 Posts: 871
Posted 1478730282
Reply with quote
#5
I've used Veeam Sure Backup Jobs to restore 'jobs' and not shut them down after restore.
I used it in an app development environment where we wanted to test IIS code, SQL code, App servers etc.
At a point in time we'd either delete or push Sharepoint/ SQL or file data into the 'test labs'
Veeam have some scripts to push some backups to dev/ test labs.
But as said. These labs need to be hidden, no network conectivity etc.
__________________ Have you tried turning it off and walking away? The next person can fix it!New to the forum? Read this