How to safely make changes to AD

I'm working on learning some Sys Admin functions and configuring AD. It's occurred to me that in a live/hot environment, how do sys admins apply changes to the AD server(s) without hosing the live environment?

For example...say I have 2 AD servers in sync on my domain...say I want to make a change to AD. My immediate example would be add an attribute, but that might not be a great example. Another better example might be simply applying Windows Updates, which sometimes can have a negative effect on a system.

Bottom line is, it seems nearly impossible to go back to a SnapShot or backup of AD if something goes very wrong, especially in a live environment (i.e., your change causes an outage, as does any kind of restore). I have heard that some orgs use a second domain (which acts as a test system for AD) to do this kind of thing...or, maybe "taking it down" for this kind of maintenance is the way (?) Maybe I'm overcomplicating this but also see the need to be very careful...

You just have to be careful.

This is why changes are often made to a testing environment to confirm they work, and then sensible change management processes are used to implement the change. There are normally reviews of the change, backup/rollback plans, and risk assessments if the change affects a live service.