I was in a meeting this afternoon, where someone proposed a security solution which could basically be summed up as: "Let's build a new forest, and move all the users and resources into it." Most everyone around the table started shaking their heads in agreement...after all, the forest is the Active Directory security boundary and if the one you've got isn't working then get a new one right? Well, unfortunately...being the guy who would have to design, implement it, and work with the operations teams to support it...I had to ask the question... Why do we need a new forest?
The answer really surprised me, not because of the bold technical genius behind it, but because of it's stark simplicity. I was told that our existing production forest was "too dirty, and couldn't be cleaned." Heck, who can argue with THAT! If your forest is dirty, then that makes even more sense that you would toss it out, run down to the local "Active Directory SuperStore" and pick up a new one. I was thinking we should get a six-pack, just so we had some spares.
In all seriousness though, I think the dumbfounded look on my face actually offended some people. After all, I knew what he intended. The idea was that it was going to take a lot of work to understand the existing settings and how they would need to be changed to accomodate the new business requirements, workflows, etc... The problem was that they didn't want to see whether the cost required for the new forest solution was more or less than "cleaning" out our existing forest, or for that matter even figuring out what the new configuration should be...therefore..."dirty"
So the moral of this story is, if you want to promote an idea or solution, claiming that the "data is dirty" may just be your ticket to success... At least if you can walk out before someone asks you what that means. 🙂