Damn, I knew someone would ask for details and this is one I wasn't heavily involved in.
We were putting in W2K3 schema and some our company specific stuff. There was something that collided with the E2K stuff - I want to say inetorgperson though it was like many months ago and Exchange has killed too many brain cells... Ok, google helped... Here it is http://support.microsoft.com/default.aspx?kbid=314649 The interesting thing with this one was that we didn't see any errors on the machine that we did the update on. Once it started replicating errors popped on all the other DCs concerning the mangling. Once I caught wind of it our onsite MCS guy and PSS guy chased it down and got me an LDIF file to correct it. The article above basically. We applied that and everything was fine. I don't recall why it wasn't initially caught in the test lab but they retried it and it did do it there as well. Most likely it was never doublechecked on any machines outside of the one it was done on and a comprehensive schema compare was never done. I can't recall though as I really wasn't all over it as I had something else I was on and I can't even remember what that was but it was critically important at the time. As for the snapshot stuff... Do an LDIF export of your schema or adfind dump or whatever. Make your changes. Get another dump/export. Run Windiff against them and it will highlight the differences. If someone really wanted to get fancy they would script it (my preference would be perl) and have it output a delta LDIF file. You could even do this against dissimilar forests to see what was different or to update one forest to mirror another. The method described above is one of my old fallbacks for trying to figure out what the heck is going on in the directory for various changes. It is how I figured out the whole subnet/site business to script it years ago (this was before Robbie and Richard's great book that didn't sell so well as it is over most admins heads). Basically I would dump the whole config container, do the crap in the GUI I wanted to figure out, then dump it again and windiff to see what got changed. Then duplicated it in a script. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of marcus Sent: Friday, January 30, 2004 8:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] schema updates Same goes. This is a relatively new topic for me. To answer a few questions, the configuration is an empty root domain and three child domains. The extensions we are looking at are for Windows 2003, Exchange 2003, and SMS 2003. :) Now Joe you mentioned something regarding taking a snapshot of changes in LDIF format. How exactly does this get achieved? Thanks! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 30, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] schema updates Joe - care to elaborate on the error that didn't become obvious until it replicated ? I'm just curious what to watch for - maybe I'll add some steps to my schema change testing process... Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, January 30, 2004 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] schema updates Darn Vendors!!! Of course we could always crutch this by creating a Schema diff file, snap the schema, update the schema, diff it, generate the ldif ourselves. Not recommending that to anyone but is something I have been thinking about. While we are on the topic of schema updates, one other recommendation I have is... The idea of having a DC off on its own that you do the change on is a great idea. The initial idea was off on its own off the network, then it was off in its own site with real long period of time for the site link (not greater than a week though or it is ignored). The next step in this idea/method is to put multiple servers in that site. That way you make the changes and then they go to a small group of a couple of servers and you watch for errors on ALL of them. We had an error in our last update that didn't become obvious until it replicated. Also my next schema update I think I will coax the schema partition replication through the system specifically by hand to see if it goes any faster via repadmin (or possibly joeware) forced connection/partition replication. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, January 30, 2004 9:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] schema updates I completely agree with you Joe. I've been hassling vendors left, right and centre to provide LDIF files for schema extensions. Unfortunately, noone appears to listen. The most recent extensions I've tested have been from MS (SMS 2003) and HP (Managed Objects), both of which fail to provide LDIFs. If we can't get the big boys to provide them, what hope do we have with the smaller vendors. VMWare with its snapshot facility is great for testing schema updates. (Except for when you click the Revert button just next to Snaphot by accident - something I've done more than once!) Tony ---------- Original Message ---------------------------------- Wrom: PWIGYOKSTTZRCLBDXRQBGJSNBOHM Reply-To: [EMAIL PROTECTED] Date: Fri, 30 Jan 2004 09:24:21 -0500 I will debate this one... :op First no one should put in anything they don't completely trust. I allowed that to happen once and now I have a bunch of attributes/objects out there that have nothing to do with anything and almost certainly won't be used because the people driving it didn't have a clue what they were doing but had enough weight (at the time) to force the issue. Now I have them as an example to give me weight for any other people whom I don't trust. Schema changes are one thing that should be worked and reworked and reworked in the lab until you are sure of the outcome. Pulling a live copy of production into a disconnected lab for this is invaluable and in my view an absolute requirement. Unless you find something that is an absolute "it must go in this specific order" because of issues you have seen, try to put them all together and not have the schema cache update until it hits the end. If people give you programs to run instead of LDIF files, beat on the vendor as that is very bad on their part - Hear me MS, W2K3 forest prep pissed me right the [EMAIL PROTECTED] off. Anyway, take the LDIFs and pull the schema cache update entries out and tie them all together and try it in the lab to make sure everything goes well. Note this is an OUTSTANDING place to use Virtual machines. joe _____ Wrom: KHJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAX [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, January 30, 2004 7:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] schema updates To me it depends if you're stacking like or unlike schema updates. For instance, with Exchange 2000 there are 2 sets of updates - the ADC and the Exchange proper ones. I'd stack those any day. Now - if you're talking custom schema stuff, or extensions from companies you don't completely trust, then maybe staggering them makes more sense. The real question is are schema updates queued into the regular replication interval or does the schema update process itself force replication? -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > Wrom: ZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIY mailto:[EMAIL PROTECTED] > Sent: Friday, January 30, 2004 12:39 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] schema updates > > Sorry if this has come up before (haven't seen it hit the list). > > We have some schema updates to do... but was curious whether stacking > them up back to back was a very good idea since they all require full > gc syncs. We've tested the extensions individually in the lab, and > they all act fine... any comments on why you should or should not do > this? :-) List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
