RE: [ActiveDir] Extending AD Schema
Don't know if you have an access though ... http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=41666DisplayTab=Ar ticle March 2004 (Windows .NET Magazine): Deactivating Schema Extensions Reasons for Deactivation -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, March 20, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extending AD Schema As others have indicated, there is no easy way to back out of a schema extension. The trick is to thoroughly test beforehand in a representative lab environment. There are some suggestions regarding this here: http://www.activedir.org/article.aspx?aid=24#13 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, 21 March 2006 11:01 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Extending AD Schema AD Guys and Gals, Is there is a way to backout of AD Schema extension? We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. Would it be possible to import it back again? Can you guys/gals share your experience with schema extensions / updates? Thanks, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending AD Schema
You can't easily recover a schema. If you make the changes to a single DC that is segregated from the rest so that it won't replicate you can have a little safety in that you can rebuild that one or restore that one. But no an auth restore of the schema is not possible (i.e. you can't roll back the schema with normal mechanisms). If the vendor doesn't supply the changes, then I would beat them until they did. If that didn't work then I would recommend building a virtual single domain forest and then running the update and seeing what got changed in the schema. Use the ADschemaanalyzer from the R2 ADAM release to help out. Then look at the changes carefully making sure that they used proper prefixes and OIDs and linkids, etc. If they aren't registered with MS, I would be extremely careful of what they are doing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Monday, March 20, 2006 6:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Extending AD Schema AD Guys and Gals, Is there is a way to backout of AD Schema extension? We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. Would it be possible to import it back again? Can you guys/gals share your experience with schema extensions / updates? Thanks, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Extending AD Schema
AD Guys and Gals, Is there is a way to backout of AD Schema extension? We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. Would it be possible to import it back again? Can you guys/gals share your experience with schema extensions / updates? Thanks, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Extending AD Schema
Adeel Ansari wrote: AD Guys and Gals, Is there is a way to backout of AD Schema extension? We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. Would it be possible to import it back again? Hmm, can they provide you with these schema extensions documentation - do they have proper OIDs assigned or they are using some self-produced OIDs? You should ask that questions before going any further and You should check if their schema extension will not conflict with attributes and classes You have now and possibly in the future (OIDs). You can't roll back the schema which was replicated in the forest without performing schema recovery procedure. You can defunct some part of the schema: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/disabling_existing_classes_and_attributes.asp Can you guys/gals share your experience with schema extensions / updates? Here is a bit information which I've gathered in my blog's post: http://blogs.dirteam.com/blogs/tomek/archive/2006/02/09/exending_schema.aspx There was also discussion on this topic on ActiveDir.org not so long ago so be sure to go and check the archive. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending AD Schema
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: 20 March 2006 23:01 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Extending AD Schema AD Guys and Gals, Is there is a way to backout of AD Schema extension? NO We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. No Would it be possible to import it back again? Can you guys/gals share your experience with schema extensions / updates? You should ask the vendor how they assigned the Object ID's and if their extensions are registered with MS so that you don't get these duplicated. Thanks, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending AD Schema
A couple years ago the Commvault sales guy said their product could back and restore just the schema. Never got into details though so who knows how realistic of a statement that was though. (eg you can always back out schema changes if you flatten the forest and start over ;-)) Steve Evans -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Monday, March 20, 2006 3:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Extending AD Schema Adeel Ansari wrote: AD Guys and Gals, Is there is a way to backout of AD Schema extension? We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. Would it be possible to import it back again? Hmm, can they provide you with these schema extensions documentation - do they have proper OIDs assigned or they are using some self-produced OIDs? You should ask that questions before going any further and You should check if their schema extension will not conflict with attributes and classes You have now and possibly in the future (OIDs). You can't roll back the schema which was replicated in the forest without performing schema recovery procedure. You can defunct some part of the schema: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/disab ling_existing_classes_and_attributes.asp Can you guys/gals share your experience with schema extensions / updates? Here is a bit information which I've gathered in my blog's post: http://blogs.dirteam.com/blogs/tomek/archive/2006/02/09/exending_schema.aspx There was also discussion on this topic on ActiveDir.org not so long ago so be sure to go and check the archive. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending AD Schema
You should ask the vendor how they assigned the Object ID's and if their extensions are registered with MS so that you don't get these duplicated. And of course you MUST test it in an isolated test environment to see what changes it makes. Thanks, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending AD Schema
Apart from the stuff others have answered: OIDs need to be registered for the company A Prefix needs to be registered with MS LinkIDs - if exist - need to be taken from a range assigned by Microsoft MapiIDs - if they use them you are on your own - you can't register these, but they also need to be unique. For all those Attributes there's no supported way in changing them afterwards. So make sure whatever used is as unique as you are sure no other company ever would consider using the same ones. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari |Sent: Tuesday, March 21, 2006 12:01 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Extending AD Schema | |AD Guys and Gals, | |Is there is a way to backout of AD Schema extension? | |We have a project that requires AD Schema extension. The |vendor has a tool that will make changes in AD schema |automatically. However, we are little conscious about it. Is |it possible to export the current AD schema and then make |extension. Would it be possible to import it back again? | |Can you guys/gals share your experience with schema extensions |/ updates? | |Thanks, |Adeel | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Extending AD Schema
Steve Evans wrote: A couple years ago the Commvault sales guy said their product could back and Sales guy .. You said :) -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending AD Schema
As others have indicated, there is no easy way to back out of a schema extension. The trick is to thoroughly test beforehand in a representative lab environment. There are some suggestions regarding this here: http://www.activedir.org/article.aspx?aid=24#13 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, 21 March 2006 11:01 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Extending AD Schema AD Guys and Gals, Is there is a way to backout of AD Schema extension? We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. Would it be possible to import it back again? Can you guys/gals share your experience with schema extensions / updates? Thanks, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Extending AD schema to comply with standard ACP 133
Does anyone know if this has been attempted? If so any info would be appreciated. Gareth List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending AD schema to comply with standard ACP 133
What is ACP 133? -Original Message- From: [EMAIL PROTECTED] [mailto:gcorfield;btinternet.com] Sent: Tuesday, November 05, 2002 9:57 AM To: [EMAIL PROTECTED] Subject:[ActiveDir] Extending AD schema to comply with standard ACP 133 Does anyone know if this has been attempted? If so any info would be appreciated. Gareth List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Extending AD schema to comply with standard ACP 133
I don't think extending the schema would be so much of a problem as conformance to certain X.500 protocols. I believe ACP 133 requires conformance with DAP (not LDAP), DSP and other, more obscure, protocols such as DISP and DOP. Active Directory, while loosely based on the X.500 model does not conform to the all of the protocols. Tony -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 5 Nov 2002 14:56:59 + (GMT) Does anyone know if this has been attempted? If so any info would be appreciated. Gareth List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending AD schema to comply with standard ACP 133
http://www.dtais.mod.uk/jsp600/lib-com/acp133/acp133.htm -- Original Message -- From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 5 Nov 2002 10:06:42 -0500 What is ACP 133? -Original Message- From: [EMAIL PROTECTED] [mailto:gcorfield;btinternet.com] Sent: Tuesday, November 05, 2002 9:57 AM To: [EMAIL PROTECTED] Subject:[ActiveDir] Extending AD schema to comply with standard ACP 133 Does anyone know if this has been attempted? If so any info would be appreciated. Gareth List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
