Tech Off Thread

5 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

I want to add a Quality Assurance domain. How do I handle DNS servers

Back to Forum: Tech Off
  • User profile image
    TimEPS

    I'm advising a large client on how to isolate their dev and testing from their production.

    They already have one domain, lets say xyz.net with the active directory domain as "XYZ01".

    I want to add second domain say QAxyz.net and make its active directory domain "QA01"

    All development and QA servers would be moved to the QAxyz.net domain, the machines would be part of the QA01 domain. Note: Some of these servers will have the same name as the production servers for testing purposes.

    I believe we would have separate DNS servers for each domain.

    If I am logged into the QA01 domain, to access the production domain I would qualify my access like so:
    \\PRODSERVER.xyz.net   login: XYZ01\username

    Do I need to add a forwarder to my QAxyz.net DNS server so that it can see xyz.net?
    Would I need to do the same to the xyz.net DNS server to see QAxyz.net?

    I don't know how to advise them in this.

    Does anyone have any other recommendations to isolating a QA domain?


    Many Thanks in advance!
    Tim

  • User profile image
    W3bbo

    Is this a separate domain in the same forest or a separate forest entirely? What about Federation and Trusts?

    If you want to do organisational firewalling properly you cannot allow any kind of data transfer between the two segregated departments, so your idea of being able to login from one domain to another like that shouldn't work as a matter of policy.

    But first off I'd like to challenge the whole premise of your scenario: why does dev and testing need separate AD domains and infrastructure?

  • User profile image
    TimEPS

    Hello W3bbo,

    Thier developers are testing things on dev and QA servers. Some of this is legacy code with servers hard coded in, DTS packages etc.

    They have "tested" some of thier work and inadvertantly hit thier production servers.

    The idea is to have the same production server names in a seperate untrusted domain.

    They can test to thier hearts content without ever affecting production.

    I've seen QA departments setup a seperate domain for this very reason.

    Right now, I have them setup on a private network with a proxy server to allow some access to production and the internet for updates, tools etc... But it is akward to use and manage.

    Do you have another idea?

     

    Thanks again!

    Tim

  • User profile image
    AndyC

    @TimEPS: I don't get what you're trying to accomplish. First you say you want to isolate the QA domain to avoid accidentally impacting production servers (a very good idea), but then you want them to be able to see each other, which will inevitably lead to someone accidentally hitting the worng system and thus entirely defeating the point of isolating them in the first place.

    Personally I'd keep them very seperate. Ideally I'd virtualise the QA domain so that it can be easily accessed remotely from the devs production workstations and reimaged/altered as needs require.

  • User profile image
    TimEPS

    Hi AndyC,

    That is what I have done actually. A hyperV environment, each server on an internal virtual Lan, with a seperate server acting as a proxy so they can access the real network (file transfers, updates, tools, remote access)

    It works, but is kind of a hack in that it is harder to administer on an access level in a large company. The idea with the seperate domains that dont trust each other is that access to the other domain would have to be deliberate, instead of implied.

    Thanks for your thoughts!

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.