I see, thanks for the info, especially about not being able to delete classes or properties, this actually make even more useful using ADAM, since there are app that will not longer use in a few years, cool stuff all this. Good point, I just checked, and only the administrator user is part of the schema group , they don't have the administrator user or password so probably they aren't change the schema at all.
Thanks for the info again. Rezuma -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Monday, September 25, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP Ramon Linan wrote: > You guys are amazing, in terms of AD knowledge, way out of league. > Anyway, I was the one asking about this application, I have more > questions. > > First I must said, that I am waiting to hear from the vendor about > whether the app modifies the Schema or not, I got 2 emails from them, > one saying yes and the other saying no, it does not change it!!! :( I > am panicking already. > > Here goes my question: > We have 2 offices, only 4 people in the HQ are going to be using this > app, so if the app changes the schema of AD it would be better to use > ADAM, is this right? Especially because I don't know how good if the > application going to be about cleaning AD if we don't use it anymore. If we are talking about "cleaning" as about "cleaning" schema this can't be done - You can't remove classes or attributes from schema, You can only defunct them in Windows 2003. > > The first vendor tech who replied to me said that the application > changes the schema, and he was saying that it has already changed the > schema in the submain, where all the current users for this > application are, is that possible? If I have domain.com and > child.domain.com, can I You should really consider using their application as obviously they don't have basic AD knowledge or they are missing some concepts. Schema is common for all domains in the forest, so If You will alter the schema on schema master all domains in the forest will get this changes. BTW to alter the schema You have to have really high privileges so: 1. Somebody let them to do something with schema admin privileges 2. They don't know what they are talking about. > change the schema of AD for a subdomain and not for the main domain?? > I though It was only one LDAP for the whole forest?, this does not > make sense considering the schema owner is the same for both child and > main domain. Can I say to the vendor how wrong he is or are there > exception to that situation? You should ask them: 1. If their application is extending AD schema 2. If answer to 1 is Yes: do they have their specific OIDs numbers registered and they are unique. 3. They should present You these changes as LDIFs and You should test it in the lab. > > If there a tool I can use that will compare the out of the box schema > for windows 2003+exchange with the current schema? Or do I have to use > adsiedit and try to figure out what is part of the app? Schema Analyzer which comes with ADAM SP1 can do this: http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4 EF6-A3E5-2A2A57B5C8E4&displaylang=en > I am still waiting to receive an answer about the way these dudes > authenticate, simple bind, secure bind, Kerberos, or whatever. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
