SUMMARY

Active Directory architect, designing, engineering and managing Active Directory structure, with extensive experiences in designing solutions for system consolidations in merger and acquisition, divestiture, system restructuring and administrative model design, for inter - company collaborations with AD LDS, other LDAPDS and federation services, for system integrations and for integrating hosted services and cloud services, such as integration with Azure Active Directory and Office 365. Design and support Exchange 2003-2010 messaging systems. Design and implement Server Virtualization with VMware and Microsoft HyperV. Always stay with the advance of the technology.

TECHNICAL EXPERIENCE SUMMARY

Microsoft Windows Systems

• Windows 2000/2003/2003 R2/2008/2008R2/2012 Active Directory :
• G lobal AD forest design
• Enterprise identity management solution design
• AD forest consolidations, cross forest collaboration, AD LDS structure design and implantation, and Active Directory Federated Services design and engineering,
• planning and designing AD namespace structure, integrating AD naming resolution into heterogenic computing environment;
• AD physical structure design, integrating Microsoft services to existing systems such AD integrated DNS to BIND DNS, QIP, CNR and integration Unix/Linux with Services for Unix;
• Global site and subnet structure design with considerations for inter-site AD partitions replication and RFS replication, FSMO and Global Catalogue roles placement,
• RODC placement and strategies
• Windows 2008 R2 features such as strategy to move to managed service account, implementation of AD recycle bin, GPP, FGPP, managed service account
• Windows 2012 R2 features
• Detailed process of AD consolidation and migration planning and management;
• Script in VB and Powershell with ADSI, WMI, etc
• GPO structure design to define security boundaries and design GPP structure
• AD security structure leveraging security groups, RMS and PKI; underlining security protocols, such as Kerberos V, NTLM
• LDAP partitions, search filter, LDIF format, AD implementation of LDAP vs OpenLDAP
• ADAM/AD LDS and AD FS solutions for applications
• Design DC on server core solutions and processes
• Microsoft Exchange 2003/2007
• Exchange organization in multiple forest environment
• Messaging consolidation in merger situation
• Exchange 2003 administrative and routing group management in distributed and centralized environments
• Exchange 2007 enterprise system design with server roles and underlining AD site topology
• Exchange DR strategy with EMC Replication Manager
• Using Recovery Storage Group to recover data
• Email archiving with third party systems such as SourceOne

Server Technology and Virtualization

• VMware VSphere Virtual Infrastrcture with ESX 2.5 to 5.0 , Design strategically Data Center virtualization with VMWare Virtual Infrastructure with Virtual Center, Virtual Center Server Appliance implementation, design VM deployment strategy with datastore and template automations with all Windows versions and Linux, ESX 3.X and Vmotion, strategically leveraging SAN and server blade technology across data centers globally with HP DL c-Class blades and IBM Blade.
• Microsoft Virtual Server Manager and Hyper-V Technology, MS Hyper-V on Windows Server 2008/2012 Server Core,
• implementing server consolidation using Hyper-V, leveraging 2012 features such as, Share-Nothing Migration, Live Storage Migration
• Tuning VMs with features such as Runtime Memory Configuration, Generic Routing Encapsulation
• Server Hardware : Engineered and standardized HP DL series of servers G2-G8 and HP BL c series of blade and the chassis,
• Standardized server hardware configurations of HP hardware devices, such as MSA, as well as that of the HP DL and BL models;
• streamlined the server hardware provisioning process;
• Server OS provisioning , developed automated server provisioning procedure for Microsoft OS, leveraging WinPE, HP server build utilities, sysprep and unattended OS installation; the process makes server OS deployment fully automated with desired patch level, agents and client software required for server management; the process is CD and DVD based;
• Server monitoring: designed global enterprise MOM 2005 and SCOM 2007 systems in multi-management group structure, with clustered RMS, clustered SQL backend, strategically located management servers and gateway servers; leveraging multi-homed agents and a DR environment for a true fault-tolerance, designed SCOM reporting service and the data warehouse, designed the server auditing system built in the same SCOM systems, all benefiting the same fault-tolerance mechanism, leveraging log shipping or database replication;

Storage and Backup

• EMC Clariion CX3 and CX500 SAN storage management with Navisphere and CLI
• Replications with EMC Replication Manager
• Architect Snapview snap, cloning SANCopy and MirrorView among arrays
• Configuring and Architecting fabrics of Brocade switches and Mcdata switches, zoning and licensing
• Configuring FCIP routing with fabric domains, LSAN and virtual ports and XE XVE ports
• IBM FastT Storage
• Celarra NAS
• ISCSI target and initiator configuration and implementations
• Architecting server backup and recovery with Networker backup and Quantum library system

Linux, Red Hat and other flavours

• Red Hat Enterprise Server 4 and 5,
• Kickstart server deployment,
• configuring server services, such as NFS, SMB, SFTP, SSH, NTP,
• implementing Kerberos V5 authentication with AD Kerberos realm,
• setting up YUM server and automatic update
• using Linux as host for VMWare Server servers, BIND 9 DNS, Cisco Network Registrar,
• configuring Linux components such as network, local security and firewall with IPTables or IPChains, mounting devices, workstation features under KDE or Gnome, working with X, redirect display, compile the kernel for drivers that need kernel recompilation,
• Likewise Enterprise system design and support

Confidential, New YorkActive Directory Architect consultant, Restructure and remediate NYL Active Directory physical topology to standardize the sites and subnets structure in all aspects and designed the algorithm and process to automate the new site, subnet and site link creation. Provide road map for NYL Active Directory optimization from group management all the way to domain consolidation. Office 365 Integration and DirSync with Azure tenant of the company; AD FS configuration.

Confidential, Raritan, NJ 

Active Directory Architect consultant

Responsibilities

• A central role in J&J Synthes AD migration to J&J AD forest; designed the entire Active Directory user and group account migration with the consideration of the interactions with messaging and user environment migrations; effectively managed the migration tool vendor, Dell/Quest.
• Lead the efforts of restructuring and remediation of J&J global Active Directory forest physical topology, designed Karlour© Network Performance Indicator (KNPI©) to gauge domain controller performance when AD physical structure is changed; effectively reduced the footprint of AD physical structure.
• designed the entire process of an OpCo divestiture, covering OpCo separate AD architecture, build specifications, detailed migration, risk management, seamless handoff and detailed cost analysis from technical perspective, consolidate and streamline Op Co collaborations, design solutions of domain controller isolation with SRV record manipulation, for DR and secure decommission of domain controllers;
• Active Directory DFL/FFL upgrade from Level 2 to Level 4 and then 5, design the strategy of RODC deployment and that of password replication;
• investigate and design solutions with current features of Active Directory, such as FGPP, AD Recyclebin, Managed Service Account, DC deployment on Server Core and Group Policy Preference
• Investigating and designing a supplemental PKI based on AD CS
• Investigation of Office 365 integration, AD FS system design and Azure AD

Confidential, NJ 

Active Directory Architect

Responsibilities:

• Designed the detailed step by step consolidation plan; prepared the ImClone AD physical and logical structures for the migration.
• Integrating identity management into FIM as part of the system consolidation
• Redesigning the entire AD physical structure, Strategically re-invigorating a static DNS naming arrangement for AD with the BIND based Infoblox appliance, which was full of stale and downright incorrect SRV records; a controlled DDNS is enabled and stale records were eliminated without interruptions to the AD operation; optimized AD site topology to multi-hub/spoke structure with all connection objects automatically calculated by KCC;
• Restructuring AD logical structure; tightened and optimized AD security; designed new security model with different elevations of privileges; streamlined OU structure and group policy structure;
• Upgrading AD from FFL2/DFL2 to FFL4/DFL4; leveraged new features this functional level offers;
• Implemented Enterprise DFS structure with multiple namespaces and strategically scheduled global replications; implemented PKI which leverages MS AD CA and commercial certificate vendors; Implemented a Likewise Enterprise infrastructure.
• Investigating AD and directory management tools; design the architecture of an enterprise ActiveRoles Server systems which is scalable, redundant and completely free of single point of failure.

Confidential, Bridgewater NJ 

Active Directory Architect

Responsibilities:

• Rebuilt server virtualization with VMware Vsphere 5, ESXi 5 in HA clusters, Vcenter Appliance,
• Implemented AD LDS for external authentication
• Working with application as a service vendor to design the best strategy to integrate the application
• Redesigned the entire Active Directory forest
• Streamlined the network services, DNS and DHCP

Confidential, New York NY 

Responsibilities:

• Designed the entire group and user provisioning system, among Windows 2008 R2 based Active directory, a highly customizable EmpowerID provisioning system, MyAccess/Tivoli Identity Manager and an in-house developed global request workflow system; designed the complete automation logic, interfaces among systems and the approval/decision flow.
• Validated CS User Acceptance Testing environment of new AD active directory, according to comprehensive business requirements and system standards developed over the years, laying the foundation for the identical production deployment. Worked with in-house Active Directory operation team to address issues unearthed with the validation and engineering team to make amendments to the design.
• Design a new delegation model with in-house engineers for the new Active Directory; following MS best practice, the model consists of roles in the areas of system admin, data admin, security admin and support operator; the model is future proof in that it is not reliant on built-in groups, such as server operator, administrators, etc.
• Designed the strategies for cross forest migration of user objects under the unique constraints imposed by CS legacy forests, namely, the token bloat threat complicated by the sheer number of applications in five domains and two forests; the migration strategy will ensure zero or minimum impact on business continuity and end users
• High level design of a distributed global SCOM 2007 system, which is highly scalable and redundant to address single point of failure, and fault-tolerant with DR fully replicated database and master server.
• Redesigned the isolated AD DEV/lab environment on a VMware virtual infrastructure 3, with VC, SAN Storage, RDM Storage, HA cluster with RDS, bridged virtual switch to the production CorpNet with proxy for DEV product activation and WSUS updates and with GRE tunnels to data centers in Europe and Asia.

Confidential Princeton, NJ 

Responsibilities:

• RadPharm and Medifacts of Maryland merged to form Confidential. The two companies together account for about 1200 objects in three countries as well as US. Designed the strategy of system integration to gradually merge the two companies with zero impacts on business and end users; Simplified the overly complicated AD forest structures, making the messaging and system management more efficient. Documenting detailed step by step implementations in all stages of the system integration to ensure zero user impact at the time of implementation
• Working with the in-house network engineer in redesigning the company networking system as the best routing strategy, IP management, Layer 2 and 3 switching, and integrating Cisco IP Phone Call Manager and Unified Messaging systems
• Redesigning the Exchange 2003 based messaging system, rearranging the Information Store on SAN to comply with MS best practice; Lab Exchange 2010 as messaging system upgrade candidate; completely redesigning messaging systems to the new features and architecture of Exchange 2010;at the same time planning the upgrading and implementing features of Windows 2008 based Active Directory; configured and implemented Cisco IronPort for email antispam and antivirus, and EMC SourceOne for email archiving
• In collaboration with EMC, designed and led the project of setting up a complete DR solution centred around EMC SAN Copy, MirroView, PowerSnap with CLARiiONs, Replication Manager, Brocade fabric and Brocade FCIP tunnels; successfully executed the project with EMC engineers
• Designed and implemented the VMware virtual environment, which consists of multiple HA/DRS ESX farms, designed the processes of physical to virtual migration, virtual switching that involves bridging the production networks, isolating network for lab or testing, and tunnelling between networks.

Confidential, Hoboken, NJ

Responsibilities:

• Led the initial global AD structure design for confidential. Communicated to the executive management the benefit of a consolidated global AD system as oppose to regionally centered NT domains. Collaborating with networking engineers and the teams from other global regions, consolidated and streamlined DNS name resolution, redesigned the AD physical structure, redesigned the naming standard. The result of this effort is a highly scalable global AD forest, where all regional offices of Marsh eventually eased into with zero interruptions to the regions’ day to day operations. The entire Marsh global was incorporated into one security domain
• Led and closely managed collapsing NT and country AD domains into Marsh global forest. Strategized a three year migration schedule for all regions. Met vendors to investigate and analyze their migration tools. Finally instead of using the 3 rd party tools, designed a complete migration procedure and tools around the free Microsoft ADMT. For the following three years, led the migration projects of all global regions. Travelled to countries Asia, Australia, Latin America, EMEA, and North America to perform the initial migration, tuned the procedure and provide the knowledge transfer for the region to carry on the rest of the migration. By the end of 2007, all global regions of Marsh were consolidated into the new global AD forest with zero impact to the end-users. Leveraging the free ADMT tools, the entire migration saved Marsh at least $200,000, which would have incurred for licenses of the 3 rd party tools
• Designed AD Federation services with ADAM among Confidential operation companies for applications used by both external and internal users. In general, the external directory for the external facing applications, which also used by internal users, is provided by third party systems (e.g. Tivoly Access Manager), while the internal directory services to these applications leverage AD FS/AD LDS.
• Confidential further consolidated its computing environment to facilitate collaboration not only among the regions but also among operating companies under Confidential . Leveraging Forest root trusts and transitivity of child trusts, I designed Microsoft best-practice based Inter-forest delegation structure, AD and server management structure
• Worked with identity management team in MIIS/MILS/FIM deployment and integration
• Maintained and managed effective vendor relations. Marsh as a hundred year old global company has system bottlenecks and inefficiencies of both inheritance and uneven system development. Invited vendors to present roadmaps of their product developments to remain on the cutting edge of technological advances of the Intel based fields; Proactively identified issues that may be potentially addressed by the newly development technologies. One example of such initiatives: recommended to the senior management was Quest Password Manager that is to significantly reduce the number of calls to the global helpdesk of the company, after POC with the major players in the field and presenting the ROI and pros and cons of the competing systems with clear engineering recommendations. Such a system was eventually approved by the management, designed, documented and handed to operations for global implementation. Examples also include: recommending, designing and documenting Marsh Global SCOM 2007; Recommending, designing with colleagues and documenting Global data center virtualization with VMWare; and AD across DMZ design.
• Automating and standardizing global server build. Smooth automation and vigorous standardization of server build is essential in large shops, such as Confidential . Designed the workflow and architected the build DVD for HP DL series of servers, HP C-Class Blades and VMWare templates.
• Designed a global PKI infrastructure based on Microsoft AD CA, leveraging both standalone and enterprise CA, balanced with performance and security.

Confidential, Boston MA 

Responsibilities:

• The challenges in an AD design in a university environment include the considerations of integration of AD into existing systems, unique culture of independence of schools and departments of the university and constantly changing and loosely defined user population. The final AD was designed to be highly scalable in contiguous namespace, centralized user accounts management in a distributed computing environment, and tightly integrated AD namespace and DNS services into the university Unix BIND namespace, GPO structure that is both layered and monolithic, using loopback to control lab and classroom computers, security templates are used for GPO that distributed to schools and departments. BC AD systems has been a solid, reliable, secure and highly scalable system with the root domain holding all student accounts while services and resources distributed in departmental domains, making joining the BC AD appealing to the schools and departments.
• Led BC NT domains. In BC, departments had the independence to choose whether to join the university wide AD system or not. The migration starts from presenting to departments the advantages of using services provided by BC central AD. Designed detailed strategy and processes for migrating students PC, lab and kiosk PC as well as regular office PC. Led a team of 8 cut over all 20000 users on campus.
• Led BC server virtualization project. BC Technology desired to virtualize part of the central data centres. Designed and set up BC ESX infrastructure in two centralized data centres and determined the list of servers to be virtualized.
• BC Registrar systems is the single source of user account managements for all systems on campus, modified the process that is updating NT SAM database to make it adequately updating AD LDAP accounts, eventually implementing an account updating mechanism that will take feeds from BC LDAP directory, setting up SLDAP with Confidential Enterprise CA for IBM Directory Integrator