My organization currently has several independent forrests, with a single domain per forrest, and no trusts in between. We struggle with environmental fidelity because the environments (e.g. test, integration, production), are not used in the desired fashion. Most units have their test/int systems bound to and authenticating against, production AD.
I find myself at a crossroads in order to better prepare our AD environment for regression testing against major changes, such as upgrades that would impact domain/forrest functional levels.
From my perspective, we have two, SUPER high level options:
-Take systems that are bound to production, which should be bound to test or integration, and bind them to the respective AD environments. The biggest downsides I have observed so far are impact to applications, and user experience since most of our apps utilize Kerberos authentication. We've considered provisioning terminal servers in these domains for application testing and interaction, but that's not popular from an end user standpoint. While this is the path of least technical implementation, it probably wouldn't be worth the effort, necessarily.
-Build out an entirely new domain infrastructure, where we build a new parent domain, and move towards sub domains. This is the heaviest technical lift comparing between the two options, but IMO, the best long term technical approach.
Curious if others can point me to information or provide some guidance on how best we could achieve our goal, with the setup we have. Also, do we have the ability to effectively test our changes (e.g. upgrade Domain Controllers from 2012R2 - 2016/2019, raise relevant functional levels) incrementally, if we go the subdomain aspect?
Appreciate any assistance you can all provide - thanks.