Welcome to TechNet Blogs Sign in | Join | Help

When your data is dirty, just start over...

I was in a meeting this afternoon, where someone proposed a security solution which could basically be summed up as:  "Let's build a new forest, and move all the users and resources into it."  Most everyone around the table started shaking their heads in agreement...after all, the forest is the Active Directory security boundary and if the one you've got isn't working then get a new one right?  Well, unfortunately...being the guy who would have to design, implement it, and work with the operations teams to support it...I had to ask the question... Why do we need a new forest?

The answer really surprised me, not because of the bold technical genius behind it, but because of it's stark simplicity.  I was told that our existing production forest was "too dirty, and couldn't be cleaned."  Heck, who can argue with THAT!  If your forest is dirty, then that makes even more sense that you would toss it out, run down to the local "Active Directory SuperStore" and pick up a new one.  I was thinking we should get a six-pack, just so we had some spares.

In all seriousness though, I think the dumbfounded look on my face actually offended some people.  After all, I knew what he intended.  The idea was that it was going to take a lot of work to understand the existing settings and how they would need to be changed to accomodate the new business requirements, workflows, etc...  The problem was that they didn't want to see whether the cost required for the new forest solution was more or less than "cleaning" out our existing forest, or for that matter even figuring out what the new configuration should be...therefore..."dirty"

So the moral of this story is, if you want to promote an idea or solution, claiming that the "data is dirty" may just be your ticket to success...  At least if you can walk out before someone asks you what that means.  :)

 

Published Thursday, October 20, 2005 11:04 PM by bpuhl

Comments

# re: When your data is dirty, just start over...

Friday, October 21, 2005 2:33 PM by Gil
I usually throw my clothes out when they get dirty, so I don't see what the problem is...

The problem of course is that the magnitude of cleaning the "dirt" is unconfrontable, so it seems easier to start over. There is no equivalent of a washing machine in the AD world. Wouldn't that be cool? Large load, warm wash, cool rinse, EXTRA BLEACH! Whiter whites and brighter brights! Your DACLs are as clean as the day they were propagated!

Maybe its not so far-fetched, if we could just codify what constitutes "dirt". Good luck with that.

-gil

# re: When your data is dirty, just start over...

Friday, October 21, 2005 2:37 PM by Al
I think I took this to be a little different than just a matter of perms. I think there was also the issue of settings that have been made over the years. Something like plaque build-up.

It just strikes me that the people that suggested it didn't have an idea about the level of effort required to create new. Old = figure out how things should be set and make it that way. New = figure out how things should be set, build it, and then make it that way.

Interesting style of writing though Brian. Looking forward to more. Maybe that garage door operator of Bldg 7 could start a blog as well. Might be worth reading. ;)

-ajm

# re: When your data is dirty, just start over...

Friday, October 21, 2005 3:08 PM by GF
I think the moral of the story is the fact the real problem has to do with OPERATIONS (or lack there of) and the "dirty" AD is a symptom of the problem. I guarantee if a new Forest was implemented, you'd be back in the same situation within 18 - 24 months.

# re: When your data is dirty, just start over...

Friday, October 21, 2005 10:02 PM by dg
You hit the nail on the head, GF. If you cannot correct the reason AD became dirty in the first place, then it is just a matter of time before it happens again. But once you are compromised, the only sure way is to start over.

# re: When your data is dirty, just start over...

Wednesday, October 26, 2005 6:57 AM by J
These were probably the same people that suggest a "nuke 'n pave" of the OS as a first step towards system problems...

# re: When your data is dirty, just start over...

Friday, November 04, 2005 4:07 PM by wkasdo
I encounter this all the time at customers. It's a mess, so start over. They forget that they NEED TO CLEANUP ANYWAY. Permissions all wrong? Obsolete accounts? Strange policies?

Sort it out, and see what the quickest solutions is. Unless your AD is totally hosed I bet it is cheaper to keep the old one.

This 'cleanup' argument is purely emotional. It's like buying a new car, a nice fuzzy feeling of a job well done. That's not a business argument though.

# Unknown

Saturday, March 10, 2007 10:54 PM by Unknown

<a href='http://films.eoe1o.info/download-film-indonesia.html'>download film indonesia</a>

# Unknown

Monday, March 19, 2007 11:48 PM by Unknown

<a href="http://dvdfilms.jedo.info/counterforce-download-film.html">counterforce download film</a>

# Unknown

Tuesday, March 20, 2007 3:00 PM by Unknown

<a href='http://tvinternet.jedo.info/digital-internet-tv.html'>digital internet tv</a>

# Unknown

Thursday, March 29, 2007 5:40 PM by Unknown

<a href=" http://ultramcheap.vatw.info/action-class-ultram.html ">action class ultram</a>

# re: When your data is dirty, just start over...

Tuesday, October 02, 2007 3:46 AM by 0Hannah

Hello

aol mail sign on

aol mail help

dell laptop replacement part

dell m1210 xps

dell ink

mapquest uk

aol e mail account

core duo intel processor

aol mail account

computer corporation dell history

# re: When your data is dirty, just start over...

Tuesday, October 02, 2007 3:46 AM by 0Abigail

Hello

aol free limelight music

dell laptop replacement battery

aol classic mail

dell ink cartridge

dell computer problem

assembly language for intel based computer

dell laptop ac adapter

dell laptop computer sales

free aol

address aol email free mail

Anonymous comments are disabled
 
Page view tracker