Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
DerekO

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #1 
So here is a use case I don't recall ever hearing of.  Any suggestions would be greatly appreciated.

My company wants to create a lab environment that is a "copy" of production.  All well and good at the beginning.  But immediately as time goes on the Production AD instance and the "Copy/Lab" AD instance begin to diverge as changes occur in each.

We want all deployments to be built in a "QA" environment with no particular alignment to Prod.  A sample environment lets say.

Then we want to build the implementation plan and method of procedure to "introduce" it into the lab as the final checksum of working in the "bigger picture" BEFORE actually introducing it into production.

As time goes on though, users and computers and groups and memberships and values will change.

My question:

Is there any way to "log" all changes to active directory (or select parts/actions) in a manner that one could review them, say "yes I want that change replicated in the lab" or "no, ignore that change" and then "replay" those changes in the lab so that lets say all new/changed users & groups in the last month get added to the Lab.  And potentially from lab to prod.

I tried talking to some AD auditing software companies and they said - nope, who'd want to do that.

Any ideas?
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 176
Reply with quote  #2 
As far as AD users, groups and possibly Exchange go, I would expect that you can achieve this with FIM/MIM or some other Identity Management solution.

Computers, I don't think so. Or SQL, or your LOB apps...

But I agree that you don't see this done very often, if at all.

What is usually being done instead, you clone Prod to Lab on a regular basis but as completely as is necessary.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 177
Reply with quote  #3 

+1 Evgenij

Aside from that, consider security and privacy. You will copy PII information and passwords to another environment. Is this secured in the same way? Do the same trusted people have access? Does this company have regulations to follow that might have a problem with this scenario (finance, healthcare, various GOVs?)


__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
DerekO

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #4 
@Evgenij - Yes, it is an unconventional approach.  I will have to look into Identity Management a little deeper.  I agree that "on a regular basis but as completely as is necessary" is likely to the be approach used but AD is pretty much all or nothing.  To much re-replication can disrupt ongoing activities.  Guess I'm just looking for the best way to keep as much consistency as possible over time with as little disruption to the operations.

@wkasdo - Yes, luckily secured the same with the same people using the lab as they have in prod.  Thankfully no legislative oversight or restrictive regulations.

Thanks for sharing your thoughts.

Derek
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 740
Reply with quote  #5 
I've used Veeam Sure Backup Jobs to restore 'jobs' and not shut them down after restore.
I used it in an app development environment where we wanted to test IIS code, SQL code, App servers etc.
At a point in time we'd either delete or push Sharepoint/ SQL or file data into the 'test labs'
Veeam have some scripts to push some backups to dev/ test labs.
But as said. These labs need to be hidden, no network conectivity etc.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: