How do others make AD available in Test Failover?

Thanks, Chris.  Yeah, I saw that article earlier.  It makes it pretty clear that you should not replicate a domain controller with Zerto.  We do have a domain controller at our DR site that is actively replicating (via native MS AD replication) with production.  My question is how do I use that to authenticate in my isolated Test Failover network?  The domain controller operates outside of that bubble.

Yes, this is true.  But then wouldn’t there be an issue with my production AD seeing not only my production file server but also the replicated file server that has been spun up in the test network?

Thanks so much Matthew!  That’s exactly the kind of information I was looking for.  Do you happen to have a method for users to login to your test network via RDS?  Wondering if I need to setup a multi-home system so users can login and test, but not sure.

Thanks again, Matthew.  Super helpful!  Cross network traffic has been my #1 concern as well.  I work for a largish enterprise and I don’t want to be the one who corrupted AD.  I’ll give this a go.  Our current environment houses 2 separate domains with a one-way trust.  Users are authenticating on one domain, then accessing resources that are in a second domain so I’ll need to clone DCs from both and bring them into test.  Hopefully that doesn’t throw a wrench in it, but we’ll see.

Matthew, do you do anything else to your DC once you bring it up in test?  Do you have to manually re-IP it?  Since I have to bring in 2 DCs from different domains (trust between), re-IP them, that seems to blow things out of the water.  I’m also failing over an app server and file server.  Attempting to access files from the app server but no go.  Can’t authenticate.  Might just be too many moving parts for this to work for us.

Yeah, good point.  I was leaning toward not changing anything on each but, as you mention, leveraging a VM that has a leg in each subnet.  Thanks for the feedback.

Follow up:  I haven’t completed testing on this yet but after further research it appears that I will need to seize FSMO roles for the DCs that I’m bringing into the test failover network and perform some metedata cleanup.  I’ll post more info as it becomes available in case others run into this.

Unfortunately, as mentioned, we have to clone 2 DCs from 2 different domains into test.  I can easily seize FSMO roles on one of the DCs but the other is part of a much larger forest and only corp IT has schema\enterprise admin rights.  Without seizing those roles I don’t think there’s any chance it’s going to work.  So far I’ve been able to get the 2 DCs and a couple of other servers to all see each other on the test failover network but AD is failing.  DCdiag reports numerous errors.  Still working with corp IT on this.

https://www.concurrency.com/blog/november-2018/active-directory-during-dr-tests