Most sites that enable PFS do so with solid ECDH. It's hard to find PFS configuration guidelines that will give you breakable conventional DH groups.
The latter half of AGL's post is about systems security, not (really) the cryptographic security of TLS. It's about things you can do that would make NSA owning up your servers a greater or lesser threat to previously encrypted TLS sessions.