Decommissioning on-premise Active Directory and going all the way to Okta as the sole identity provider is one of those projects that sounds clean in a meeting and gets complicated fast once you’re inside the actual environment.

The org had built everything on AD. Authentication, Group Policy, endpoint management, manual account provisioning. It worked well enough for a while. Then the company started growing and the cracks showed. Cloud apps were piling up. The workforce was increasingly distributed. Manual provisioning was eating time that nobody had. And defending an on-prem-anchored identity environment against threats that don’t care about your physical network perimeter gets harder the more distributed you become.

I inherited FortiNAC in a broken state. The engineer who set it up was no longer with the company, and from what I gathered, the chaos of that original deployment was a significant reason for their departure. What they left behind was a NAC system that technically functioned but created constant friction: inconsistent enforcement, poor compatibility with Juniper’s commit structure, and a wireless problem nobody could pin down.

That last one took the longest to crack.

Active Directory at Charlie’s Produce had nothing useful in it. No titles, no manager fields, no department information. There was a separate company directory that HR maintained by hand, and if something in AD actually needed updating, someone had to open a Help Desk ticket and wait. That was the system. It had worked that way for as long as anyone could remember.

I had searched that directory hundreds of times and never thought much about it. Then one day it was being slow, and I finally lost it. I was going to fix this, and I was going to fix it in a way where I would never have to think about it again.

There’s a detail that makes this project a little unusual: I had deployed Charlie’s Produce’s SCCM environment years earlier as a consultant at Affirma. Ozzy, who would eventually hire me full-time, was the person I had originally built it for. Two years after that engagement ended, he called and offered me the job.

So when I showed up and found the SCCM environment largely unchanged from when I’d left it, I wasn’t surprised. I knew exactly what I was working with. And I knew what it would take to push a Windows 10 migration through it for about 3,000 people across multiple sites.

NAES was acquiring companies in the energy services space when I joined. Each acquisition brought its own IT environment — separate AD forests, separate O365 tenants, whatever endpoint management the acquired company happened to be running. My job was to sort it out.

AD forest consolidations aren’t exciting work, but they’re the thing that everything else depends on. Identity has to work before anything else can be unified. If you skip it or half-do it, you end up with users carrying multiple accounts, shared resources that nobody can cleanly access, and security gaps across trust relationships that you can barely see, let alone audit. It’s the kind of debt that compounds.

Consulting at Affirma meant touching about 20 different client environments over 18 months. Some were in decent shape and just needed specific work done. Others hadn’t had anyone look at the fundamentals in years and needed triage before anything else.

The most interesting engagement was an internal penetration test against a client’s Active Directory environment. Old AD environments accumulate problems over time: stale accounts that never got removed, service accounts with more permissions than anyone remembers why, Kerberoastable SPNs sitting there waiting, NTLM relay opportunities that exist because the environment predates the mitigations. This one had all of it. The test surfaced issues across authentication protocols, privileged account management, and network segmentation.