Long-time auditor, first caller. I've recently been promoted to my first position as a Systems Analyst – and I'm very excited, if it's a little green.
My company has just launched a new internal application on which our development team has been working for a few years, before my arrival.
Now that the application and integrations have been published in the production environment, the DevOps team is restructuring the CI / CD pipeline to make sure that every environment is protected by a firewall. We have Dev, QA, UAT and Prod environments.
Developers insist that everything be written in scripts, so that environments can be destroyed and developed as needed. Of course, all non-producing environments must imitate as much as possible the environment of the environment. Currently, Active Directory services are structured as a single forest, a single domain.
Our common concern is that – when creating the environment, including AD elements (eg, user accounts, service accounts, security groups, and distribution groups) – we could inadvertently cause an unwanted change to our unique AD, which of course is responsible for all production authentication (users, computers, etc.).
My question: What are the best practices for DevOps teams in terms of architecture, management and isolation of Active Directory across multiple environments? Should we create another forest, with a relationship of trust? Or maybe a child domain in the existing forest? Or something totally different?
If all environments are unique – that is, they are protected by a firewall and isolated from each other, but they are all isolated from their isolation to have a "point of contact" in a single AD, how is it better managed?
Looking forward to any guidance, and yes – I'm interested in Google / looking regardless of my question here. I thought this community could be a good place to continue my research.
Please – if I have not provided the necessary information to answer the question correctly, let me know.
Thanks in advance.