I was in a meeting this afternoon, where someone proposed a security solution which could basically be summed up as:  "Let's build a new forest, and move all the users and resources into it."  Most everyone around the table started shaking their heads in agreement...after all, the forest is the Active Directory security boundary and if the one you've got isn't working then get a new one right?  Well, unfortunately...being the guy who would have to design, implement it, and work with the operations teams to support it...I had to ask the question... Why do we need a new forest?

The answer really surprised me, not because of the bold technical genius behind it, but because of it's stark simplicity.  I was told that our existing production forest was "too dirty, and couldn't be cleaned."  Heck, who can argue with THAT!  If your forest is dirty, then that makes even more sense that you would toss it out, run down to the local "Active Directory SuperStore" and pick up a new one.  I was thinking we should get a six-pack, just so we had some spares.

In all seriousness though, I think the dumbfounded look on my face actually offended some people.  After all, I knew what he intended.  The idea was that it was going to take a lot of work to understand the existing settings and how they would need to be changed to accomodate the new business requirements, workflows, etc...  The problem was that they didn't want to see whether the cost required for the new forest solution was more or less than "cleaning" out our existing forest, or for that matter even figuring out what the new configuration should be...therefore..."dirty"

So the moral of this story is, if you want to promote an idea or solution, claiming that the "data is dirty" may just be your ticket to success...  At least if you can walk out before someone asks you what that means.  :)

First post, so here's a brief intro.

My name is Brian Puhl, and I'm a Sr. Systems Engineer in Microsoft IT responsible for our internal deployment of Active Directory.  Lately I've also been spending quite a bit of time deploying our instance of ADFS (Active Directory Federation Services) which will be released with Server 2003 R2 in a few months.  I've worked in MSIT for 4 years, the entire time on the core infrastructure team focused mainly on supporting our AD, DNS, DHCP, and WINS deployments through the upgrades from Windows 2000 to Server 2003, and am now working on the R2 and Longhorn releases.

In addition to being an engineer responsible for our internal environment, I also spend quite a bit of time talking to customers about "How Microsoft IT does...(fill in the blank)".  Some of this is done through presentations at conferences, and other times it's during a monthly customer conference call that I host with some of the other engineers on my team.  Because many of the questions are often repeated from multiple customers, I'm hoping to answer some of them in this blog, as well as throw out some hints/tips/tricks that we've learned along the way.

~Brian