RE: [ActiveDir] Handling different schemas - managing maintaining updates
The AD schema analyzer is quite useful for comparing schemas to find missing attributes and classes (and to export them to LDIF so as to allow an import to the target schema). Note however, that it doesn’t find differences at the level of properties you have set for your schema objects, for example it doesn’t find the difference in the searchFlags for an attribute that exists in both schemas. As such you need to know how close you want your schema to match and likely need to an exact compare either using custom scripts or LDIF dumps of the complete schema coupled with text-compare tools. In general I would want to question what your goal is – like Al I am assuming you want to make the schema more manageable. Basically a convenience so you don’t have to worry about managing and documenting the differences. That’s quite different from a technical necessity, where you may need to fully replicate all objects in your AD along with all attributes (except the ones managed by the system) – in this case, you may need to keep your schemas fully in sync. I would not much discuss the security with respect to the Schema classes and attributes stored in the different Forest schemas – I would not say that there is much of a risk in knowing you have XYZ attributes defined in either schema. The discussion is much more relevant as to which data do you plan to replicate between the two? Let’s assume you are storing sensitive data in one of your forests, for example, you may store the social security number of your employees in a company specific attribute called “MyCompany-Employee-SSN”, and you have even done everything to hide this data from normal read access (i.e. you’ve configured it as a confidential attribute). Do you want this data to be replicated to the other forests? If not, then I would also not suggest to add the special schema attribute to your other forests schema, since this way you hinder it from being synced by accident (not saying you couldn’t sync it elsewhere). If later there is a necessity to replicate the data across to the other forest(s) you could add a simple procedure in your ITIL processes that would ensure that the target schemas need to be updated appropriately prior to replicating the data. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 14, 2006 3:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Handling different schemas - managing maintaining updates Yep, the schema analyzer would be a good tool to have hold of. I have to ask though: is the goal to make this mish-mosh manageable by making it all the same (i.e. cookie-cutter?) Or is there some other goal you're describing? I'm assuming that you want it to be the same across the enterprise to make it more manageable. Often this is done so that a central team to can control it and /or so that people can implement workable IdM systems. Realistically, such a system cannot be implemented without some known similarities so it makes sense. I don't see any particular security related issues with schema entries unless your schema gives away company secrets of some sort. It's just a holder for the most part, and it's the data/information that it contains that would be of value. Knowing that it may exist is of lesser value, but is a risk that must be addressed. ITIL? Nice to have. Of course the term, trust, but verify keeps ringing in my head but it's still nice to have such a process in use. Al On 9/13/06, Joe Kaplan [EMAIL PROTECTED] wrote: I like this advice as well.In terms of some of the nuts and bolts of how one might do this, as a software guy, I'm a huge proponent of source code control/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository.As such,I believe LDIF files are the one true way to maintain your custom schema stuff. The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here. Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 8:37 AM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org
RE: [ActiveDir] Handling different schemas - managing maintaining updates
"NOT
SET","2.5.5.12","NOT SET","Account-Name-History","NOT
SET","NOT SET","NOT SET","NOT SET","NOT
SET","NOT SET","NOT SET","NOT
SET","FALSE","accountNameHistory","NOT SET","NOT
SET","NOT SET","NOT SET","top;attributeSchema","NOT
SET","64","NOT SET","NOT SET","NOT SET","NOT
SET","{031952EC-3B72-11D2-90CC-00C04FD91AB1}","0","TRUE","NOT
SET","NOT SET","16","NOT SET","NOT
SET","FALSE","NOT SET"
for
the curious, the -sc sdump shortcut simply combines the following
switches
Selected Switches -f
(name=*) -oao NOT SET
-po -replacedn _schema;_config -s
one -sc sdump
-schema -sort name
Selected Attributes
adminDescription adminDisplayName
attributeID attributeSecurityGUID
attributeSyntax auxiliaryClass
cn defaultHidingValue
defaultObjectCategory
defaultSecurityDescriptor
description extendedCharsAllowed
governsID isDefunct
isMemberOfPartialAttributeSet
isSingleValued lDAPDisplayName
linkID mAPIID
mayContain mustContain
objectClass objectClassCategory
oMSyntax possSuperiors
rangeLower rangeUpper
rDNAttID schemaIDGUID
searchFlags showInAdvancedViewOnly
subClassOf systemAuxiliaryClass
systemFlags systemMayContain
systemMustContain systemOnly
systemPossSuperiors
http://www.minibite.com/oldies/mashed.htm
As for
the reason for all of this
I
think I would keep the schemas specific to their uses. If you end up putting the
full schemas everywhere and you don't actually need the attributeswho is
to say someone doesn't start using those unused attributes in some of the
directories and thinking that is valid to do? You may not think you are in the
business of protecting and maintaining those attributes and find out from some
business application owner that you now actually are... If something is
available and people can't get at it, expect them to use it at some point.
I
would have a validation LDAP instance somewhere owned by the overall Schema
owners that has all of the attributes defined so that you know you don't have
collisions etc when adding something new. Also if you do that, you can be aware
of everything that is out there so you don't maybe duplicate something. I would
then put in objects that represent the directories and slap in a custom FL/BL to
link those objects to schema classes and attributes so you can quickly ascertain
what attributes/classes are used in what directories and what directories use
what classes and attributes.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Thursday, September 14, 2006 5:06 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Handling
different schemas - managing maintaining updates
The
AD schema analyzer is quite useful for comparing schemas to find missing
attributes and classes (and to export them to LDIF so as to allow an import to
the target schema). Note however, that it doesnt find differences at the
level of properties you have set for your schema objects, for example it doesnt
find the difference in the searchFlags for an attribute that exists in both
schemas.
As
such you need to know how close you want your schema to match and likely need to
an exact compare either using custom scripts or LDIF dumps of the complete
schema coupled with text-compare tools.
In
general I would want to question what your goal is like Al I am assuming you
want to make the schema more manageable. Basically a convenience so you dont
have to worry about managing and documenting the differences. Thats quite
different from a technical necessity, where you may need to fully replicate all
objects in your AD along with all attributes (except the ones managed by the
system) in this case, you may need to keep your schemas fully in
sync.
I
would not much discuss the security with respect to the Schema classes and
attributes stored in the different Forest schemas I would not say that there
is much of a risk in knowing you have XYZ attributes defined in either schema.
The discussion is much more relevant as to which data do you plan to replicate
between the two? Lets assume you are storing sensitive data in one of
your forests, for example, you may store the social security number of your
employees in a company specific attribute called MyCompany-Employee-SSN, and
you have even done everything to hide this data from normal read access (i.e.
youve configured it as a confidential attribute). Do you want this data
to be replicated to the other forests? If not, then I would also not
suggest to add the special schema attribute to your
RE: [ActiveDir] Handling different schemas - managing maintaining updates
Without wishing to appear facetious :)- I would
suggest if the company follows ITIL practices then they already have a change
mgmt and config mgmt process and/or system which helps achieve your
goal.
As far
as best practices are concerned, I would aim for a 'core' schema config which is
present in all instances of ADAM or AD schemas but manage differences via the
ITIL framework (mentioned above).
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 13 September 2006 10:39To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Handling different
schemas - managing maintaining updates
I can't get too specific about the
requirements, so please don't ask ;-)
I'm looking for your ideas, opinions and
experience on how you maintain different sets of schemas for different forests
that you manage (for the same customer).
Basically, consider this: you have an
internal domain (single domain forest) and another (or several) single domain
forest(s) in a DMZ. They might have Exchange and one or two other
directory-enabled apps that extend the schema, and you have your own
standard/default schema.
Do you see any security implications in
having the same schema in the DMZ-type networksas that of the internal
domain? And if not, how do you manage updates and
testing, etc?
I might have several single domain
forests. Internal ones, and serveral of these DMZ based domains.
It's not really a DMZ, but is a different network and is considered external to
the internal domain(s). This is for a number of interoperability apps, and
no we can't use ADAM or equivalent. We're using plenty of
ADAM.
The main thing I'm intersted here is, as
mentioned above, if you were happy to have a consistent schema, how do you
maintain that? Would you use a script to compare and export differences,
etc.?
Or, would you recommend against having a
standard schema? I can't see why anyone would recommend against this
unless there's a major security concern I've overlooked as it will greatly
complicate future extensions, but I'm interested nonetheless.
Please assume a large enterprise
environment that follows ITIL and has a proper test environment, e.g. ADAM -
VM - Dev -Pre-prod -live.
Thanks,
--Paul
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Handling different schemas - managing maintaining updates
You know ITIL. It's all guidelines
and advice, etc. It's not hands on processes for you (or if it is, I slept
through all that).
We obviously have a structured process for
testing additions. My question is more around technically implementing
such a process, with minimal intervention, around a whole bunch of schemas, i.e.
would you look at implementing some sort of comparison and export, e.g. schema
analyser from ADAM R2 or a bespoke script that achieves the same
thing?
Good to see you are thinking along the
same lines as me with the default base, but are you suggesting different streams
of schema if and when changes occur in different forests? I don't like
that (at the moment, I might be persuaded otherwise). It will also cause
considerable, additionaleffort in testing new extensions for more than one
schema, as there'll be different objects in each.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, September 13, 2006 2:37
PM
Subject: RE: [ActiveDir] Handling
different schemas - managing maintaining updates
Without wishing to appear facetious :)- I would
suggest if the company follows ITIL practices then they already have a change
mgmt and config mgmt process and/or system which helps achieve your
goal.
As
far as best practices are concerned, I would aim for a 'core' schema config
which is present in all instances of ADAM or AD schemas but manage differences
via the ITIL framework (mentioned above).
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 13 September 2006 10:39To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Handling different
schemas - managing maintaining updates
I can't get too specific about the
requirements, so please don't ask ;-)
I'm looking for your ideas, opinions and
experience on how you maintain different sets of schemas for different forests
that you manage (for the same customer).
Basically, consider this: you have an
internal domain (single domain forest) and another (or several) single domain
forest(s) in a DMZ. They might have Exchange and one or two other
directory-enabled apps that extend the schema, and you have your own
standard/default schema.
Do you see any security implications in
having the same schema in the DMZ-type networksas that of the internal
domain? And if not, how do you manage updates and
testing, etc?
I might have several single domain
forests. Internal ones, and serveral of these DMZ based domains.
It's not really a DMZ, but is a different network and is considered external
to the internal domain(s). This is for a number of interoperability
apps, and no we can't use ADAM or equivalent. We're using plenty of
ADAM.
The main thing I'm intersted here is, as
mentioned above, if you were happy to have a consistent schema, how do you
maintain that? Would you use a script to compare and export differences,
etc.?
Or, would you recommend against having a
standard schema? I can't see why anyone would recommend against this
unless there's a major security concern I've overlooked as it will greatly
complicate future extensions, but I'm interested nonetheless.
Please assume a large enterprise
environment that follows ITIL and has a proper test environment, e.g. ADAM
- VM - Dev -Pre-prod -live.
Thanks,
--Paul
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London
Re: [ActiveDir] Handling different schemas - managing maintaining updates
I like this advice as well. In terms of some of the nuts and bolts of how one might do this, as a software guy, I'm a huge proponent of source code control/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository. As such, I believe LDIF files are the one true way to maintain your custom schema stuff. The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here. Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 8:37 AM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Handling different schemas - managing maintaining updates
Yep, the schema analyzer would be a good tool to have hold of. I have to ask though: is the goal to make this mish-mosh manageable by making it all the same (i.e. cookie-cutter?) Or is there some other goal you're describing? I'm assuming that you want it to be the same across the enterprise to make it more manageable. Often this is done so that a central team to can control it and /or so that people can implement workable IdM systems. Realistically, such a system cannot be implemented without some known similarities so it makes sense. I don't see any particular security related issues with schema entries unless your schema gives away company secrets of some sort. It's just a holder for the most part, and it's the data/information that it contains that would be of value. Knowing that it may exist is of lesser value, but is a risk that must be addressed. ITIL? Nice to have. Of course the term, trust, but verify keeps ringing in my head but it's still nice to have such a process in use. AlOn 9/13/06, Joe Kaplan [EMAIL PROTECTED] wrote: I like this advice as well.In terms of some of the nuts and bolts of howone might do this, as a software guy, I'm a huge proponent of source codecontrol/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository.As such,I believe LDIFfiles are the one true way to maintain your custom schema stuff.The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here.Joe K.- Original Message -From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Wednesday, September 13, 2006 8:37 AMSubject: RE: [ActiveDir] Handling different schemas - managing maintainingupdatesWithout wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmtprocess and/or system which helps achieve your goal.As far as best practices are concerned, I would aim for a 'core' schemaconfig which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above).neilList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
