RE: [ActiveDir] Handling different schemas - managing maintaining updates
The AD schema analyzer is quite useful for comparing schemas to find missing attributes and classes (and to export them to LDIF so as to allow an import to the target schema). Note however, that it doesn’t find differences at the level of properties you have set for your schema objects, for example it doesn’t find the difference in the searchFlags for an attribute that exists in both schemas. As such you need to know how close you want your schema to match and likely need to an exact compare either using custom scripts or LDIF dumps of the complete schema coupled with text-compare tools. In general I would want to question what your goal is – like Al I am assuming you want to make the schema more manageable. Basically a convenience so you don’t have to worry about managing and documenting the differences. That’s quite different from a technical necessity, where you may need to fully replicate all objects in your AD along with all attributes (except the ones managed by the system) – in this case, you may need to keep your schemas fully in sync. I would not much discuss the security with respect to the Schema classes and attributes stored in the different Forest schemas – I would not say that there is much of a risk in knowing you have XYZ attributes defined in either schema. The discussion is much more relevant as to which data do you plan to replicate between the two? Let’s assume you are storing sensitive data in one of your forests, for example, you may store the social security number of your employees in a company specific attribute called “MyCompany-Employee-SSN”, and you have even done everything to hide this data from normal read access (i.e. you’ve configured it as a confidential attribute). Do you want this data to be replicated to the other forests? If not, then I would also not suggest to add the special schema attribute to your other forests schema, since this way you hinder it from being synced by accident (not saying you couldn’t sync it elsewhere). If later there is a necessity to replicate the data across to the other forest(s) you could add a simple procedure in your ITIL processes that would ensure that the target schemas need to be updated appropriately prior to replicating the data. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 14, 2006 3:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Handling different schemas - managing maintaining updates Yep, the schema analyzer would be a good tool to have hold of. I have to ask though: is the goal to make this mish-mosh manageable by making it all the same (i.e. cookie-cutter?) Or is there some other goal you're describing? I'm assuming that you want it to be the same across the enterprise to make it more manageable. Often this is done so that a central team to can control it and /or so that people can implement workable IdM systems. Realistically, such a system cannot be implemented without some known similarities so it makes sense. I don't see any particular security related issues with schema entries unless your schema gives away company secrets of some sort. It's just a holder for the most part, and it's the data/information that it contains that would be of value. Knowing that it may exist is of lesser value, but is a risk that must be addressed. ITIL? Nice to have. Of course the term, trust, but verify keeps ringing in my head but it's still nice to have such a process in use. Al On 9/13/06, Joe Kaplan [EMAIL PROTECTED] wrote: I like this advice as well.In terms of some of the nuts and bolts of how one might do this, as a software guy, I'm a huge proponent of source code control/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository.As such,I believe LDIF files are the one true way to maintain your custom schema stuff. The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here. Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 8:37 AM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org
RE: [ActiveDir] Handling different schemas - managing maintaining updates
"NOT SET","2.5.5.12","NOT SET","Account-Name-History","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","FALSE","accountNameHistory","NOT SET","NOT SET","NOT SET","NOT SET","top;attributeSchema","NOT SET","64","NOT SET","NOT SET","NOT SET","NOT SET","{031952EC-3B72-11D2-90CC-00C04FD91AB1}","0","TRUE","NOT SET","NOT SET","16","NOT SET","NOT SET","FALSE","NOT SET" for the curious, the -sc sdump shortcut simply combines the following switches Selected Switches -f (name=*) -oao NOT SET -po -replacedn _schema;_config -s one -sc sdump -schema -sort name Selected Attributes adminDescription adminDisplayName attributeID attributeSecurityGUID attributeSyntax auxiliaryClass cn defaultHidingValue defaultObjectCategory defaultSecurityDescriptor description extendedCharsAllowed governsID isDefunct isMemberOfPartialAttributeSet isSingleValued lDAPDisplayName linkID mAPIID mayContain mustContain objectClass objectClassCategory oMSyntax possSuperiors rangeLower rangeUpper rDNAttID schemaIDGUID searchFlags showInAdvancedViewOnly subClassOf systemAuxiliaryClass systemFlags systemMayContain systemMustContain systemOnly systemPossSuperiors http://www.minibite.com/oldies/mashed.htm As for the reason for all of this I think I would keep the schemas specific to their uses. If you end up putting the full schemas everywhere and you don't actually need the attributeswho is to say someone doesn't start using those unused attributes in some of the directories and thinking that is valid to do? You may not think you are in the business of protecting and maintaining those attributes and find out from some business application owner that you now actually are... If something is available and people can't get at it, expect them to use it at some point. I would have a validation LDAP instance somewhere owned by the overall Schema owners that has all of the attributes defined so that you know you don't have collisions etc when adding something new. Also if you do that, you can be aware of everything that is out there so you don't maybe duplicate something. I would then put in objects that represent the directories and slap in a custom FL/BL to link those objects to schema classes and attributes so you can quickly ascertain what attributes/classes are used in what directories and what directories use what classes and attributes. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, September 14, 2006 5:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Handling different schemas - managing maintaining updates The AD schema analyzer is quite useful for comparing schemas to find missing attributes and classes (and to export them to LDIF so as to allow an import to the target schema). Note however, that it doesnt find differences at the level of properties you have set for your schema objects, for example it doesnt find the difference in the searchFlags for an attribute that exists in both schemas. As such you need to know how close you want your schema to match and likely need to an exact compare either using custom scripts or LDIF dumps of the complete schema coupled with text-compare tools. In general I would want to question what your goal is like Al I am assuming you want to make the schema more manageable. Basically a convenience so you dont have to worry about managing and documenting the differences. Thats quite different from a technical necessity, where you may need to fully replicate all objects in your AD along with all attributes (except the ones managed by the system) in this case, you may need to keep your schemas fully in sync. I would not much discuss the security with respect to the Schema classes and attributes stored in the different Forest schemas I would not say that there is much of a risk in knowing you have XYZ attributes defined in either schema. The discussion is much more relevant as to which data do you plan to replicate between the two? Lets assume you are storing sensitive data in one of your forests, for example, you may store the social security number of your employees in a company specific attribute called MyCompany-Employee-SSN, and you have even done everything to hide this data from normal read access (i.e. youve configured it as a confidential attribute). Do you want this data to be replicated to the other forests? If not, then I would also not suggest to add the special schema attribute to your
RE: [ActiveDir] Handling different schemas - managing maintaining updates
Without wishing to appear facetious :)- I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 13 September 2006 10:39To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Handling different schemas - managing maintaining updates I can't get too specific about the requirements, so please don't ask ;-) I'm looking for your ideas, opinions and experience on how you maintain different sets of schemas for different forests that you manage (for the same customer). Basically, consider this: you have an internal domain (single domain forest) and another (or several) single domain forest(s) in a DMZ. They might have Exchange and one or two other directory-enabled apps that extend the schema, and you have your own standard/default schema. Do you see any security implications in having the same schema in the DMZ-type networksas that of the internal domain? And if not, how do you manage updates and testing, etc? I might have several single domain forests. Internal ones, and serveral of these DMZ based domains. It's not really a DMZ, but is a different network and is considered external to the internal domain(s). This is for a number of interoperability apps, and no we can't use ADAM or equivalent. We're using plenty of ADAM. The main thing I'm intersted here is, as mentioned above, if you were happy to have a consistent schema, how do you maintain that? Would you use a script to compare and export differences, etc.? Or, would you recommend against having a standard schema? I can't see why anyone would recommend against this unless there's a major security concern I've overlooked as it will greatly complicate future extensions, but I'm interested nonetheless. Please assume a large enterprise environment that follows ITIL and has a proper test environment, e.g. ADAM - VM - Dev -Pre-prod -live. Thanks, --Paul PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Handling different schemas - managing maintaining updates
You know ITIL. It's all guidelines and advice, etc. It's not hands on processes for you (or if it is, I slept through all that). We obviously have a structured process for testing additions. My question is more around technically implementing such a process, with minimal intervention, around a whole bunch of schemas, i.e. would you look at implementing some sort of comparison and export, e.g. schema analyser from ADAM R2 or a bespoke script that achieves the same thing? Good to see you are thinking along the same lines as me with the default base, but are you suggesting different streams of schema if and when changes occur in different forests? I don't like that (at the moment, I might be persuaded otherwise). It will also cause considerable, additionaleffort in testing new extensions for more than one schema, as there'll be different objects in each. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 2:37 PM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :)- I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 13 September 2006 10:39To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Handling different schemas - managing maintaining updates I can't get too specific about the requirements, so please don't ask ;-) I'm looking for your ideas, opinions and experience on how you maintain different sets of schemas for different forests that you manage (for the same customer). Basically, consider this: you have an internal domain (single domain forest) and another (or several) single domain forest(s) in a DMZ. They might have Exchange and one or two other directory-enabled apps that extend the schema, and you have your own standard/default schema. Do you see any security implications in having the same schema in the DMZ-type networksas that of the internal domain? And if not, how do you manage updates and testing, etc? I might have several single domain forests. Internal ones, and serveral of these DMZ based domains. It's not really a DMZ, but is a different network and is considered external to the internal domain(s). This is for a number of interoperability apps, and no we can't use ADAM or equivalent. We're using plenty of ADAM. The main thing I'm intersted here is, as mentioned above, if you were happy to have a consistent schema, how do you maintain that? Would you use a script to compare and export differences, etc.? Or, would you recommend against having a standard schema? I can't see why anyone would recommend against this unless there's a major security concern I've overlooked as it will greatly complicate future extensions, but I'm interested nonetheless. Please assume a large enterprise environment that follows ITIL and has a proper test environment, e.g. ADAM - VM - Dev -Pre-prod -live. Thanks, --Paul PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London
Re: [ActiveDir] Handling different schemas - managing maintaining updates
I like this advice as well. In terms of some of the nuts and bolts of how one might do this, as a software guy, I'm a huge proponent of source code control/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository. As such, I believe LDIF files are the one true way to maintain your custom schema stuff. The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here. Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 8:37 AM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Handling different schemas - managing maintaining updates
Yep, the schema analyzer would be a good tool to have hold of. I have to ask though: is the goal to make this mish-mosh manageable by making it all the same (i.e. cookie-cutter?) Or is there some other goal you're describing? I'm assuming that you want it to be the same across the enterprise to make it more manageable. Often this is done so that a central team to can control it and /or so that people can implement workable IdM systems. Realistically, such a system cannot be implemented without some known similarities so it makes sense. I don't see any particular security related issues with schema entries unless your schema gives away company secrets of some sort. It's just a holder for the most part, and it's the data/information that it contains that would be of value. Knowing that it may exist is of lesser value, but is a risk that must be addressed. ITIL? Nice to have. Of course the term, trust, but verify keeps ringing in my head but it's still nice to have such a process in use. AlOn 9/13/06, Joe Kaplan [EMAIL PROTECTED] wrote: I like this advice as well.In terms of some of the nuts and bolts of howone might do this, as a software guy, I'm a huge proponent of source codecontrol/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository.As such,I believe LDIFfiles are the one true way to maintain your custom schema stuff.The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here.Joe K.- Original Message -From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Wednesday, September 13, 2006 8:37 AMSubject: RE: [ActiveDir] Handling different schemas - managing maintainingupdatesWithout wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmtprocess and/or system which helps achieve your goal.As far as best practices are concerned, I would aim for a 'core' schemaconfig which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above).neilList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx