RE: [ActiveDir] Handling different schemas - managing & maintaining updates

[Grillenmeier, Guido]

The AD schema analyzer is quite useful for comparing schemas to find missing attributes and classes (and to export them to LDIF so as to allow an import to the target schema).  Note however, that it doesn’t find differences at the level of properties you have set for your schema objects, for example it doesn’t find the difference in the searchFlags for an attribute that exists in both schemas.     As such you need to know how close you want your schema to match and likely need to an exact compare either using custom scripts or LDIF dumps of the complete schema coupled with text-compare tools.   In general I would want to question what your goal is – like Al I am assuming you want to make the schema more manageable. Basically a convenience so you don’t have to worry about managing and documenting the differences.  That’s quite different from a technical necessity, where you may need to fully replicate all objects in your AD along with all attributes (except the ones managed by the system) – in this case, you may need to keep your schemas fully in sync.   I would not much discuss the security with respect to the Schema classes and attributes stored in the different Forest schemas – I would not say that there is much of a risk in knowing you have XYZ attributes defined in either schema. The discussion is much more relevant as to which data do you plan to replicate between the two?  Let’s assume you are storing sensitive data in one of your forests, for example, you may store the social security number of your employees in a company specific attribute called “MyCompany-Employee-SSN”, and you have even done everything to hide this data from normal read access (i.e. you’ve configured it as a confidential attribute).  Do you want this data to be replicated to the other forests?  If not, then I would also not suggest to add the special schema attribute to your other forests schema, since this way you hinder it from being synced by accident (not saying you couldn’t sync it elsewhere).    If later there is a necessity to replicate the data across to the other forest(s) you could add a simple procedure in your ITIL processes that would ensure that the target schemas need to be updated appropriately prior to replicating the data.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 14, 2006 3:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Handling different schemas - managing & maintaining updates   Yep, the schema analyzer would be a good tool to have hold of. I have to ask though: is the goal to make this mish-mosh manageable by making it all the same (i.e. cookie-cutter?) Or is there some other goal you're describing? I'm assuming that you want it to be the same across the enterprise to make it more manageable. Often this is done so that a central team to can control it and /or so that people can implement workable IdM systems.  Realistically, such a system cannot be implemented without some known similarities so it makes sense. I don't see any particular security related issues with schema entries unless your schema gives away company secrets of some sort. It's just a holder for the most part, and it's the data/information that it contains that would be of value. Knowing that it may exist is of lesser value, but is a risk that must be addressed. ITIL? Nice to have. Of course the term, "trust, but verify" keeps ringing in my head but it's still nice to have such a process in use. Al On 9/13/06, Joe Kaplan <[EMAIL PROTECTED]> wrote: I like this advice as well.  In terms of some of the nuts and bolts of how one might do this, as a software guy, I'm a huge proponent of source code control/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository.  As such,  I believe LDIF files are the "one true way" to maintain your custom schema stuff. The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here. Joe K. ----- Original Message ----- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 8:37 AM Subject: RE: [ActiveDir] Handling different schemas - managing & maintaining updates Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx