I currently have an active directory that has several child domains (consisting of nothing other than a DC and bespoke application servers) set-up for testing our CRM software, as some of it is date/time sensitive these have been set to dates in the future at some point in the past, which is causing replication errors. I'm working on getting rid of these child domains, but still have a requirement for our testers to be able to time shift.
Does anyone know of any solutions that would allow our test environments to have their time changed (always forward), without affecting the production active directory? Is it as simple as creating a separate Forest on the same LAN or would that interfere with my production Forest?
Thanks for any advice.
Given that replication relies on timestamps there IS NO WAY TO DO THAT. Whoever set that up should have read "Active Directory for Beginners" first. Your only good choice is to totally isolate the subdomains into their own independant forests - then they can individually jump in time as they see fit.
Exile them into their own forest is about your only hope here. If you set up trusts between the forest you can still access things on either side, and time-sync is less important there. For one, you're no longer doing any kind of global-catalog replication to time-variable domains.
But it is a fundamental requirement of AD forests that all servers agree on a universal time. Time-shifting MIGHT be possible if you expend the effort to create your very own customized time-zones which define a distance from Universal Coordinated Time that the users need. I've never done that, nor do I know if offsets greater than 24 hours are even possible. But if it is, that's the only way to keep such a large offset in your forest.
I second TomTom. Time is important to Active Directory. You can have multiple domains on a single subnet/network/LAN. It's probably your best bet, or make whatever application server you have be a stand alone server off any domain.