I’ll throw a few things I’ve seen over the years in here:
- Having a non-production domain that mirrors a very similar setup to your production AD domain is a very nice to have. You can typically perform very robust testing in that non-production domain which is crucial when it comes to testing account creation, attribute sync, etc.
- Mirroring the structure is very important when you stand up the non-prod domain. I would probably do an initial migration of account and group objects so you have a good starting point and can test things like correlation of existing accounts to identities in your non-prod IDN tenant and have some birthright groups to test with roles, etc… I would actually not suggest a refreshing periodically from your Prod domain unless you see specific reasons to do so. In my opinion you do not want some periodic Prod refresh overwriting data in your non-prod domain causing issues with testing or causing IDN to react every time that happens be re-provisioning attribute values or whatever the case may be
- One challenge I’ve run into over the years is having a non-production Hybrid Exchange/Azure environment to go along with your non-production on-prem AD domain. If hybrid mailbox creation is in your scope, having this is amazing as testing this against a production environment from a non-production IDN tenant can be super tedious. A lot of orgs don’t have the money or infrastructure to always support this though and it can be a lot to standup just for IDN purposes