RE: [ActiveDir] Handling different schemas - managing & maintaining updates

[neil.ruston]

Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal.   As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above).   neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 13 September 2006 10:39 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Handling different schemas - managing & maintaining updates I can't get too specific about the requirements, so please don't ask ;-)   I'm looking for your ideas, opinions and experience on how you maintain different sets of schemas for different forests that you manage (for the same customer).   Basically, consider this: you have an internal domain (single domain forest) and another (or several) single domain forest(s) in a DMZ.  They might have Exchange and one or two other directory-enabled apps that extend the schema, and you have your own standard/default schema.    Do you see any security implications in having the same schema in the DMZ-type networks as that of the internal domain?  And if not, how do you manage updates and testing, etc?   I might have several single domain forests.  Internal ones, and serveral of these DMZ based domains.  It's not really a DMZ, but is a different network and is considered external to the internal domain(s).  This is for a number of interoperability apps, and no we can't use ADAM or equivalent.  We're using plenty of ADAM.   The main thing I'm intersted here is, as mentioned above, if you were happy to have a consistent schema, how do you maintain that?  Would you use a script to compare and export differences, etc.?   Or, would you recommend against having a standard schema?  I can't see why anyone would recommend against this unless there's a major security concern I've overlooked as it will greatly complicate future extensions, but I'm interested nonetheless.   Please assume a large enterprise environment that follows ITIL and has a proper test environment, e.g. ADAM -> VM -> Dev -> Pre-prod -> live.   Thanks,     --Paul   PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.