When considering the typical Development, Test or QA, and Production environments of an application (say a custom web app), should there be a separate AD forest for each one? Or should there be a dev and a production forest? Or just a production AD forest?

This applies across a very large enterprise. Currently the setup is a DEV forest that houses development environments, and a PROD forest that houses test and production environments.

Is there value to a third forest? Or should domains with one-way trusts for each environment be used instead?

You can get by with one AD forest, with dev OU and User Acceptance Testing OU, where you could apply test GPO at those levels, versus having to maintain, patch, admin two or three separate AD

When considering the typical Development, Test or QA, and Production environments of an application (say a custom web app), should there be a separate AD forest for each one? Or should there be a dev and a production forest? Or just a production AD forest?

Running test and production systems/applications in different AD forests is a recommendation and not a must.

You can run everything in the same Domain / Forest.
However, you need to:

• Have a different domain for the test environment if you do not want to create test accounts in your production domain
• Have a different forest if you would like to test using custom attributes or make changes that get replicated to all domains within your forest

That is why it is recommended to have a domain in a different forest :)

Is there value to a third forest? Or should domains with one-way trusts for each environment be used instead?

You can keep that way as long as long as this is not problematic for you. Usually, I put DEV and test environments in the same AD forest and keep the production in its own forest.

Hi Darrell,

How is it going? If you need further discussions regarding this question, please don't hesitate to let us know.

Best regards,
Frank Shen