This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 22%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Hello Microsoft Community,
I’m seeking some recommendations regarding the configuration of Domain Controllers for our production and non-production test environments.
Currently, both our production and non-production (test) environments are within the same forest. As our environment grows and the need for separation between production and non-production increases, we are evaluating our options for re-structuring this setup. Specifically, we would like to understand the best approach for isolating the non-production environment while still allowing for appropriate access between the two environments if needed.
Here are the options we are considering:
Creating a New Forest for Non-Production – We are considering creating a completely separate forest for non-production and establishing a forest trust between the production and non-production environments. Is this recommended, and are there any best practices for implementing forest trusts in this context?
Creating a New Tree or Child Domain in the Current Forest – Alternatively, we could create a new tree or child domain under the current forest. This would potentially provide easier management but might not offer as much isolation as a separate forest. What are the trade-offs here in terms of security, management, and scalability?
We would greatly appreciate any insights or recommendations from others who have dealt with similar scenarios or have expertise in managing domain environments with both production and non-production systems.
Thank you in advance for your help!
Any Help Plz
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Ahmed Essam
The test environment should be completely separate from production, in order to avoid impacting production during testing.
What I recommend is to install a new forest on a network completely separate from production and not to configure a trust relationship between the two environments.
Please don't forget to accept helpful answer
Thanks @Thameur-BOURBITA
Unfortunately, There is no room to create new forest, we are extending our production site to new datacenter that require also to add two domain controller at least to achieve the high availability, for the NON-Prod site someone suggest to implement RODC what's the cons and pros for RODC ? and how we can secure the DNS until the management decide to approve the creating of new site
Thanks once again
I would say that you can create a child domain for non-production envirement but the problem when you reuse the same forest as production and non-production environment , you will be unable to validate some task in non-production environment like schema extension or adding a setting in configuration partition.
Please don't forget to accept helpful answer