Brian Puhl's Weblog

These postings are provided "AS IS" with no warranties, and confer no rights...WHEW...glad we got that over with, let's get to the good stuff now...

Blogs

When your data is dirty, just start over...

  • Comments 12
  • Likes

I was in a meeting this afternoon, where someone proposed a security solution which could basically be summed up as:  "Let's build a new forest, and move all the users and resources into it."  Most everyone around the table started shaking their heads in agreement...after all, the forest is the Active Directory security boundary and if the one you've got isn't working then get a new one right?  Well, unfortunately...being the guy who would have to design, implement it, and work with the operations teams to support it...I had to ask the question... Why do we need a new forest?

The answer really surprised me, not because of the bold technical genius behind it, but because of it's stark simplicity.  I was told that our existing production forest was "too dirty, and couldn't be cleaned."  Heck, who can argue with THAT!  If your forest is dirty, then that makes even more sense that you would toss it out, run down to the local "Active Directory SuperStore" and pick up a new one.  I was thinking we should get a six-pack, just so we had some spares.

In all seriousness though, I think the dumbfounded look on my face actually offended some people.  After all, I knew what he intended.  The idea was that it was going to take a lot of work to understand the existing settings and how they would need to be changed to accomodate the new business requirements, workflows, etc...  The problem was that they didn't want to see whether the cost required for the new forest solution was more or less than "cleaning" out our existing forest, or for that matter even figuring out what the new configuration should be...therefore..."dirty"

So the moral of this story is, if you want to promote an idea or solution, claiming that the "data is dirty" may just be your ticket to success...  At least if you can walk out before someone asks you what that means.  :)

 

Comments
  • I usually throw my clothes out when they get dirty, so I don't see what the problem is...

    The problem of course is that the magnitude of cleaning the "dirt" is unconfrontable, so it seems easier to start over. There is no equivalent of a washing machine in the AD world. Wouldn't that be cool? Large load, warm wash, cool rinse, EXTRA BLEACH! Whiter whites and brighter brights! Your DACLs are as clean as the day they were propagated!

    Maybe its not so far-fetched, if we could just codify what constitutes "dirt". Good luck with that.

    -gil

  • I think I took this to be a little different than just a matter of perms. I think there was also the issue of settings that have been made over the years. Something like plaque build-up.

    It just strikes me that the people that suggested it didn't have an idea about the level of effort required to create new. Old = figure out how things should be set and make it that way. New = figure out how things should be set, build it, and then make it that way.

    Interesting style of writing though Brian. Looking forward to more. Maybe that garage door operator of Bldg 7 could start a blog as well. Might be worth reading. ;)

    -ajm

  • I think the moral of the story is the fact the real problem has to do with OPERATIONS (or lack there of) and the "dirty" AD is a symptom of the problem. I guarantee if a new Forest was implemented, you'd be back in the same situation within 18 - 24 months.

  • You hit the nail on the head, GF. If you cannot correct the reason AD became dirty in the first place, then it is just a matter of time before it happens again. But once you are compromised, the only sure way is to start over.

  • These were probably the same people that suggest a "nuke 'n pave" of the OS as a first step towards system problems...

  • I encounter this all the time at customers. It's a mess, so start over. They forget that they NEED TO CLEANUP ANYWAY. Permissions all wrong? Obsolete accounts? Strange policies?

    Sort it out, and see what the quickest solutions is. Unless your AD is totally hosed I bet it is cheaper to keep the old one.

    This 'cleanup' argument is purely emotional. It's like buying a new car, a nice fuzzy feeling of a job well done. That's not a business argument though.

  • <a href='http://films.eoe1o.info/download-film-indonesia.html'>download film indonesia</a>

  • <a href="http://dvdfilms.jedo.info/counterforce-download-film.html">counterforce download film</a>

  • <a href='http://tvinternet.jedo.info/digital-internet-tv.html'>digital internet tv</a>

  • <a href=" http://ultramcheap.vatw.info/action-class-ultram.html ">action class ultram</a>

  • Hello

    aol mail sign on

    aol mail help

    dell laptop replacement part

    dell m1210 xps

    dell ink

    mapquest uk

    aol e mail account

    core duo intel processor

    aol mail account

    computer corporation dell history

  • Hello

    aol free limelight music

    dell laptop replacement battery

    aol classic mail

    dell ink cartridge

    dell computer problem

    assembly language for intel based computer

    dell laptop ac adapter

    dell laptop computer sales

    free aol

    address aol email free mail