Doug Gabbard at Microsoft has some excellent tips and tricks when you’re building up your Windows Active Directory lab here.
There are bunch of detailed instructions in there so make sure to read it, but I found the general DO NOTS very useful, quoted below:
- DO NOT create a snapshot of domain controller and place in an isolated network – someone will UN isolated the lab one day and your mileage will vary WHEN (not if) that happens.
- DO NOT take a physical domain controller from production domain to an isolated network to build a lab – It is feasible that a lab network that has had all the production domain controllers’ metadata removed from the lab can then successfully remove the domain controllers from the production environment also WHEN they two environments are UN isolated.
- DO NOT use backups of a production environment to create a lab – the lab forest will have the same forest GUID and if connect to production will cause issues.
- DO NOT use production domain controllers for testing – no matter how much you promise the testing will not replicate to the other domain controllers and that the domain controllers used for testing will be formatted and all metadata removed.
- DO NOT give the lab forest name the same as the production forest. Using the same name will confuse even the best engineer and can lead to changes being made to the wrong environment.
- DO NOT not have a lab. Is that grammatically correct – NOT not?