Long time listener, first time caller. I’ve recently been promoted to my first Systems Analyst gig – and I’m very excited, if not a little green.
My organization just launched a a new in-house application that our Dev team has been working on for a few years, prior to my arrival.
Now that the application and integrations have been released to the production environment, the DevOps team is re-architecting the CI/CD pipeline, to be sure that each enviro is firewalled from each other. We have Dev, QA, UAT, and Prod environments.
The Developers are pushing hard for scripting everything, so that environments may be torn down and built up as needed. Of course, all the non-Prod environments need to mimic the Prod enviro as much as possible. Currently, Active Directory services are structured as a single forest, single domain.
Our shared concern is that – upon scripting the creation of the enviros, including AD elements (e.g. user accounts, service accounts, security and distribution groups) – we could inadvertently cause an undesired change to our single AD, which of course, is responsible for all production authentication (e.g. users, computers, etc…).
My question: What are some best practices for DevOps teams in terms of architecting/managing/isolating Active Directory across environments? Should we create another forest, with a trust relationship? Or maybe a child domain in the existing forest? Or something totally different?
If all the environments are uniquely their own – that is, firewalled and isolated from one another, but all reach out from within their isolation to have a “touchpoint” in a single AD, how is this best managed?
Looking forward to any guidance, and yes – I have been Google-fuing/researching independently of asking here. Just thought this community might be a good place to continue my search.
Please – if I haven’t provided the necessary information to appropriately answer the question, just let me know.
Thanks in advance.