SUMMARY:

• Active Directory and cloud solution architect, working on designing, engineering and managing Active Directory structure ever since AD initial RTM. Riding at the forefront of the technology development in my chosen field, I have designed solutions for challenges from different stages of AD development.
• I have designed AD services from ground up of varying sizes, from branch office structures with hundreds of local offices scattering all over the world to that of a single large campus, all invariably with utmost efficiency.
• I have extensive experiences in designing solutions for system consolidations in merger and acquisition, system restructuring and administrative model change, leveraging both MS ADMT and third party migration tools. Following Microsoft recommendations, I have designed ESAE tiered privileged access control red forest structure for several companies
• As Active Directory extends to cloud, I have been exposed more and more to designing solutions around Azure AD and AD FS to provide SaaS applications and MS online services such as Office 365 with SSO and MFA, as well as solutions for external collaborations with Azure AD B2B and B2C. Design Azure AD Connect to provide hybrid identity and access management, balancing security with enhancement of collaborations.
• Last but not the least I want to mention is PKI.
• I have designed and implemented AD CS based PKI, managed PKI and hybrid PKI in two tiers or three tiers. Always stay with the advance of the technology.
• Azure Active Directory and Office 365
• Azure Active Directory Connect design and implementation
• Identity and access management between on - premises and cloud directories
• Federation with ADFS and Azure AD design and implementation
• Azure AD Pass Through Authentication and SSO implementation
• Azure AD Multifactor Authentication design and implementation
• Azure AD B2B and B2C design and implementation
• Active Directory Federation Service
• ADFS 2.X and 3.0 architect and design standalone or in a farm
• Management of federation trusts with external partners as well as applications in Azure
• Creating relying party trust and claims provider trust
• Creating rules for the relying party trust rules in accordance with the requirements of the applications
• Active Directory Certificate Service
• Two tier and three tier PKI design
• CA system architect in a global environment with high availability
• CA system security design with the tiers and HSM
• Strategies for CRL and OCSP
• Integration with managed PKI from other vendors
• Windows Server Active Directory Domain Service:
• Global AD forest design
• Enterprise identity management solution design
• AD forest consolidations, cross forest collaboration, AD LDS structure design and implantation, and Active Directory Federated Services design and engineering, planning and designing AD namespace structure, integrating AD naming resolution into heterogenic computing environment;
• AD physical structure design, integrating Microsoft services to existing systems such AD integrated DNS to BIND DNS, QIP, CNR and integration Unix/Linux with Services for Unix;
• Global site and subnet structure design with considerations for inter-site AD partitions replication and RFS replication, FSMO and Global Catalogue roles placement,
• RODC placement and strategies
• Windows 2012 R2 features such as strategy to move to managed service account, implementation of AD recycle bin, GPP, FGPP, managed service account
• Detailed process of AD consolidation and migration planning and management;
• Script in VB and Powershell with ADSI, WMI, etc
• GPO structure design to define security boundaries and design GPP structure
• AD security structure leveraging security groups, RMS and PKI; underlining security protocols, such as Kerberos V, NTLM
• LDAP partitions, search filter, LDIF format, AD implementation of LDAP vs OpenLDAP
• ADAM/AD LDS and AD FS solutions for applications
• Design DC on server core solutions and processes
• Microsoft Exchange 2003/2007
• Exchange organization in multiple forest environment
• Messaging consolidation in merger situation
• Exchange 2003 administrative and routing group management in distributed and centralized environments
• Exchange 2007 enterprise system design with server roles and underlining AD site topology
• Exchange DR strategy with EMC Replication Manager
• Using Recovery Storage Group to recover data
• Email archiving with third party systems such as SourceOne
• VMware VSphere Virtual Infrastrcture with ESX 2.5 to 5.0, Design strategically Data Center virtualization with VMWare Virtual Infrastructure with Virtual Center, Virtual Center Server Appliance implementation, design VM deployment strategy with datastore and template automations with all Windows versions and Linux, ESX 3.X and Vmotion, strategically leveraging SAN and server blade technology across data centers globally with HP DL c-Class blades and IBM Blade.
• Microsoft Virtual Server Manager and Hyper-V Technology, MS Hyper-V on Windows Server 2008/2012 Server Core, implementing server consolidation using Hyper-V, leveraging 2012 features such as, Share-Nothing Migration, Live Storage Migration
• Tuning VMs with features such as Runtime Memory Configuration, Generic Routing Encapsulation
• Server Hardware: Engineered and standardized HP DL series of servers G2-G8 and HP BL c series of blade and the chassis,
• Standardized server hardware configurations of HP hardware devices, such as MSA, as well as that of the HP DL and BL models; streamlined the server hardware provisioning process;
• Server OS provisioning, developed automated server provisioning procedure for Microsoft OS, leveraging WinPE, HP server build utilities, sysprep and unattended OS installation; the process makes server OS deployment fully automated with desired patch level, agents and client software required for server management; the process is CD and DVD based;
• Server monitoring: designed global enterprise MOM 2005 and SCOM 2007 systems in multi-management group structure, with clustered RMS, clustered SQL backend, strategically located management servers and gateway servers; leveraging multi-homed agents and a DR environment for a true fault-tolerance, designed SCOM reporting service and the data warehouse, designed the server auditing system built in the same SCOM systems, all benefiting the same fault-tolerance mechanism, leveraging log shipping or database replication;
• EMC Clariion CX3 and CX500 SAN storage management with Navisphere and CLI
• Replications with EMC Replication Manager
• Architect Snapview snap, cloning SANCopy and MirrorView among arrays
• Configuring and Architecting fabrics of Brocade switches and Mcdata switches, zoning and licensing
• Configuring FCIP routing with fabric domains, LSAN and virtual ports and XE XVE ports
• IBM FastT Storage
• Celarra NAS
• ISCSI target and initiator configuration and implementations
• Architecting server backup and recovery with Networker backup and Quantum library system
• Linux, Red Hat and other flavours
• Red Hat Enterprise Server 4 and 5,
• Kickstart server deployment, configuring server services, such as NFS, SMB, SFTP, SSH, NTP, implementing Kerberos V5 authentication with AD Kerberos realm, setting up YUM server and automatic update using Linux as host for VMWare Server servers, BIND 9 DNS, Cisco Network Registrar, configuring Linux components such as network, local security and firewall with IPTables or IPChains, mounting devices, workstation features under KDE or Gnome, working with X, redirect display, compile the kernel for drivers that need kernel recompilation,
• Likewise Enterprise system design and support

EMPLOYMENT HISTORY:

Confidential, NYC, New York

Active Directory and Cloud Architect/Consultant

Responsibilities:

• Implement and streamline Azure AD Connect design with Password hash sync and write-backs. Assessing using Pass-through Authentication with seamless SSO for the organization.
• Design and implement cloud and on-premises MFA and conditional access.
• Design and manage ARM templates with Powershell and JSON. Review and redesign PKI.
• Review and streamline on-premises AD operation.
• Working with Microsoft, design the ESAE environment for the organization.
• Review and implement smart card infrastructure for NIST compliance; design and review Confidential PKI based on AD CS and the integration of Symantec Managed PKI into Confidential in a hybrid mode; review the design of ESAE Red Forest and implementation strategy; review and investigate Azure AD structure for Confidential US external identity and access management as part of a larger Azure cloud initiative, leveraging Azure AD Premium features, such as Pass Through Authentication and domain joined SSO, and strategies of migrating external identities to Azure AD B2B functions.
• Designed the detailed step by step consolidation plan; prepared the Confidential AD physical and logical structures for the migration.
• Integrating identity management into FIM as part of the system consolidation
• Redesigning the entire AD physical structure, Strategically re-invigorating a static DNS naming arrangement for AD with the BIND based Infoblox appliance, which was full of stale and downright incorrect SRV records; a controlled DDNS is enabled and stale records were eliminated without interruptions to the AD operation; optimized AD site topology to multi-hub/spoke structure with all connection objects automatically calculated by KCC;
• Restructuring AD logical structure; tightened and optimized AD security; designed new security model with different elevations of privileges; streamlined OU structure and group policy structure;
• Upgrading AD from FFL2/DFL2 to FFL4/DFL4; leveraged new features this functional level offers;
• Implemented Enterprise DFS structure with multiple namespaces and strategically scheduled global replications; implemented PKI which leverages MS AD CA and commercial certificate vendors; Implemented a Likewise Enterprise infrastructure.
• Investigating AD and directory management tools; design the architecture of an enterprise ActiveRoles Server systems which is scalable, redundant and completely free of single point of failure.

Confidential, Bridgewater, NJ

Active Directory Architect

Responsibilities:

• Provided design work in multiple layers of services in network strategy, identity management, security arrangement, server virtualization strategy and application as a service.
• Rebuilt server virtualization with VMware Vsphere 5, ESXi 5 in HA clusters, Vcenter Appliance,
• Implemented AD LDS for external authentication
• Working with application as a service vendor to design the best strategy to integrate the application
• Redesigned the entire Active Directory forest
• Streamlined the network services, DNS and DHCP

Confidential, New York, NY

Active Directory Architect/Consultant

Responsibilities:

• Designed the entire group and user provisioning system, among Windows 2008 R2 based Active directory, a highly customizable EmpowerID provisioning system, MyAccess/Tivoli Identity Manager and an in-house developed global request workflow system; designed the complete automation logic, interfaces among systems and the approval/decision flow.
• Validated CS User Acceptance Testing environment of new AD active directory, according to comprehensive business requirements and system standards developed over the years, laying the foundation for the identical production deployment. Worked with in-house Active Directory operation team to address issues unearthed with the validation and engineering team to make amendments to the design.
• Design a new delegation model with in-house engineers for the new Active Directory; following MS best practice, the model consists of roles in the areas of system admin, data admin, security admin and support operator; the model is future proof in that it is not reliant on built-in groups, such as server operator, administrators, etc.
• Designed the strategies for cross forest migration of user objects under the unique constraints imposed by CS legacy forests, namely, the token bloat threat complicated by the sheer number of applications in five domains and two forests; the migration strategy will ensure zero or minimum impact on business continuity and end users
• High level design of a distributed global SCOM 2007 system, which is highly scalable and redundant to address single point of failure, and fault-tolerant with DR fully replicated database and master server.
• Redesigned the isolated AD DEV/lab environment on a VMware virtual infrastructure 3, with VC, SAN Storage, RDM Storage, HA cluster with RDS, bridged virtual switch to the production CorpNet with proxy for DEV product activation and WSUS updates and with GRE tunnels to data centers in Europe and Asia.

Confidential, Princeton, NJ

Infrastructure Engineer and Solution Architect

Responsibilities:

• Working on wide range and multi-discipline projects while managing a team of Intel engineers; budgeting and planning the projects of Microsoft and Linux solutions; managing the vendor engagements and ensuring the effective execution at every step of the lifecycle of the projects; effectively mentored and motivated the team who were responsible for multi-threads of projects modernizing the company’s networking, storage, security, messaging and directory services, at the same time I myself significantly expanded knowledge of disciplines outside of my range of expertise in the direction of different OS platforms, architect of LAN/WAN technologies, storage and fabric, and full turnkey DR solutions; Leading projects involving Microsoft Active Directory upgrade; AD and messaging system design for merger; EMC storage and backup system feature enhancement, server virtualization strategy, DR strategy leveraging Clariion, SAN Copy/Replication Manager and VMWare; Exchange messaging system upgrade and networking upgrades in DNS redesign, scalable DHCP services, subnet management. Accomplishments:
• Designed the strategy of system integration to gradually merge the two companies with zero impacts on business and end users; Simplified the overly complicated AD forest structures, making the messaging and system management more efficient. Documenting detailed step by step implementations in all stages of the system integration to ensure zero user impact at the time of implementation
• Working with the in-house network engineer in redesigning the company networking system as the best routing strategy, IP management, Layer 2 and 3 switching, and integrating Cisco IP Phone Call Manager and Unified Messaging systems
• Redesigning the Exchange 2003 based messaging system, rearranging the Information Store on SAN to comply with MS best practice; Lab Exchange 2010 as messaging system upgrade candidate; completely redesigning messaging systems to the new features and architecture of Exchange 2010;at the same time planning the upgrading and implementing features of Windows 2008 based Active Directory; configured and implemented Cisco IronPort for email antispam and antivirus, and EMC SourceOne for email archiving
• In collaboration with EMC, designed and led the project of setting up a complete DR solution centred around EMC SAN Copy, MirroView, PowerSnap with CLARiiONs, Replication Manager, Brocade fabric and Brocade FCIP tunnels; successfully executed the project with EMC engineers
• Designed and implemented the VMware virtual environment, which consists of multiple HA/DRS ESX farms, designed the processes of physical to virtual migration, virtual switching that involves bridging the production networks, isolating network for lab or testing, and tunnelling between networks.

Confidential, Hoboken, NJ

Active Directory Architect

Responsibilities:

• Strategized a three year migration schedule for all regions.
• Managed vendors to investigate and analyse their migration tools.
• Finally instead of using the 3rd party tools, designed an automated migration procedure and tools around the free Microsoft ADMT; the tool was designed in a way that it can be followed as a standard procedure by the team members.
• The tool was proven to be so obviously effective to serve its designed purpose, that the team were able to get the sponsorship from the higher management to implement practically simultaneously globally with myself travelling to countries in Asia, Australia, Latin America, EMEA, and North America to supervise the initial migrations in the region led by the member of my team in that region. By the end of 2007, all global regions of Confidential were consolidated into the new global AD forest with zero impact to the end-users.
• Leveraging the free ADMT tools, the entire migration saved Confidential at least $400,000, which would have incurred for licenses of the 3rd party tools
• Designed AD Federation services with ADAM among MMC operation companies for applications used by both external and internal users. In general, the external directory for the external facing applications, which also used by internal users, is provided by third party systems (e.g. Tivoly Access Manager), while the internal directory services to these applications leverage AD FS/AD LDS.
• MMC further consolidated its computing environment to facilitate collaboration not only among the regions but also among operating companies under MMC.
• Leveraging Forest root trusts and transitivity of child trusts, I designed Microsoft best-practice based Inter-forest delegation structure, AD and server management structure
• Worked with identity management team in MIIS/MILS/FIM deployment and integration
• Maintained and managed effective vendor relations.
• Confidential as a hundred year old global company has system bottlenecks and inefficiencies of both inheritance and uneven system development. Invited vendors to present roadmaps of their product developments to remain on the cutting edge of technological advances of the Intel based fields; Proactively identified issues that may be potentially addressed by the newly development technologies.
• One example of such initiatives: recommended to the senior management was Quest Password Manager that is to significantly reduce the number of calls to the global helpdesk of the company, after POC with the major players in the field and presenting the ROI and pros and cons of the competing systems with clear engineering recommendations.
• Such a system was eventually approved by the management, designed, documented and handed to operations for global implementation.
• Examples also include: recommending, designing and documenting Confidential Global SCOM 2007; Recommending, designing with colleagues and documenting Global data center virtualization with VMWare; and AD across DMZ design.
• Automating and standardizing global server build. Smooth automation and vigorous standardization of server build is essential in large shops.
• Designed the workflow and architected the build DVD for HP DL series of servers, HP C-Class Blades and VMWare templates.
• Designed a global PKI infrastructure based on Microsoft AD CA, leveraging both standalone and enterprise CA, balanced with performance and security.