We have an account automation tool that does a lot of work with AD users/groups/etc, and after a recent hiccup there is strong interest in having a dev/test instance of the tool. The problem with that, is that it would need a non-live DC to talk to. :)
So the question is, how do I safely have a non-production DC that can be easily (relatively) updated with data from our actual domain? Unfortunately since the automation support and contractor are remote, I don't see a way to airgap the test DC. One possibility I considered was to have a DC that lives in its own site, that doesn't perform outbound replication. But that has the issue of changes made to the local copy not necessarily being overwritten by inbound replication which would cause sync issues. Part of me thinks the right answer is a local VM that's isolated from the network, but then I'd have to have the contractor either run it locally (which would create issues around sending AD updates) or allow them console access to the VM from vCenter. Anyone have a good solution for this type of scenario? DAMIEN SOLODOW Senior Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE 500 North Meridian St Suite 500 Indianapolis, IN 46204-1213 www.harrison.edu<http://www.harrison.edu/>
