We have set up the separate forest scenario for our in-house devils about a year ago. The biggest push for this, as everyone has mentioned, was schema extensions. Here are a few things that we did to keep them out of our production arena: 1. Separated all the servers into their own VLAN. They are on the backbone, but WINS and DNS are not forwarded so they have to terminal into the servers via IP. One reason that we did this was to ensure that after the application was moved into production and code was "rewritten", all links to the test domain that were not removed would break. 2. As stated above, we did not forward DNS but we did set up a one-way external trust between production and the test domain. This is to allow them to use the file shares and what not in the production domain to access various things that they store. This works just like the terminal sessions in that they have to hit the production servers by IP. 3. We still did not give them enterprise admin rights. We kept the test domain root to ourselves and gave them a child domain as the sandbox. As everyone has stated, the schema extensions are not something to play with. We felt that we could allow them to test schema extensions, but with our supervision. Let them destroy a few stand alone DC's and then prove concepts to you, before you extend the schema in the test environment. Good luck.
-----Original Message----- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Development Domain Amen to that. However, as far as I can tell, the entire forest will need to be in .NET Native Mode (no Win2K DCs) for such 'advanced features' as schema delete to work. I hope I'm wrong, but that's what I understand. Anybody know for sure ? -----Original Message----- From: Rachui, Scott [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Development Domain The next version of Active Directory will have a Schema Delete feature. It's about time! -----Original Message----- From: Steve Thomas [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 9:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Development Domain ] It sure will be nice when we can actually delete schema elements ] that were defined in error ! No kidding! Never in my years of working with NT have I had to reinstall a server because of a single typo... until a couple of weeks ago. ARGH! Thank goodness it was only a single-box test forest. St- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
