Question on Active Directory Schema Expansion

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We are thinking of moving to a more secure authentication scheme using
fingerprint technology from digitalPersona. The digitalPersona
server-side product runs on each Active Directory server, and it requires an
Active Directory schema expansion. Unfortunately, to try out their demo
you must do this expansion, and if you reject the product the schema
expansion cannot be undone.

Is this something that should concern me, or are such schema expansions
likely to be harmless and have few unintended side-effects later?

--
Will

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Generally you're ok with stuff like this as they have thoroughly tested
their extensions. If it is truly an extension and not a modification you
should be OK.

HOWEVER...

I would strongly suggest doing this in a test environment. You never want
to use your production systems as a test or as a tech Toyland.

--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:OreHWMQTFHA.3188@TK2MSFTNGP09.phx.gbl...
> We are thinking of moving to a more secure authentication scheme using
> fingerprint technology from digitalPersona. The digitalPersona
> server-side product runs on each Active Directory server, and it requires
> an
> Active Directory schema expansion. Unfortunately, to try out their demo
> you must do this expansion, and if you reject the product the schema
> expansion cannot be undone.
>
> Is this something that should concern me, or are such schema expansions
> likely to be harmless and have few unintended side-effects later?
>
> --
> Will
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You absolutely need to be concerned about schema updates. The newsgroups and
corporations have lots of stories of people being screwed over by poor Schema
extensions.

You will want to check the schema updates for properly registered OIDs and
LinkIDs and schema name prefixs, etc. If you want, post the LDIF file use for
the extension to the newsgroup and people can look it over to see if they see
something that could cause an issue now or later.

At the very least, you should test the schema updates in test and QA environments.


joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Will wrote:
> We are thinking of moving to a more secure authentication scheme using
> fingerprint technology from digitalPersona. The digitalPersona
> server-side product runs on each Active Directory server, and it requires an
> Active Directory schema expansion. Unfortunately, to try out their demo
> you must do this expansion, and if you reject the product the schema
> expansion cannot be undone.
>
> Is this something that should concern me, or are such schema expansions
> likely to be harmless and have few unintended side-effects later?
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Generally, it is recommended that you do an extension on a derivative class
rather than doing this on one of the AD base classes. Talk with your vendor
to see if this is an option.

--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:eeu3NvSTFHA.2096@TK2MSFTNGP14.phx.gbl...
> You absolutely need to be concerned about schema updates. The newsgroups
> and corporations have lots of stories of people being screwed over by poor
> Schema extensions.
>
> You will want to check the schema updates for properly registered OIDs and
> LinkIDs and schema name prefixs, etc. If you want, post the LDIF file use
> for the extension to the newsgroup and people can look it over to see if
> they see something that could cause an issue now or later.
>
> At the very least, you should test the schema updates in test and QA
> environments.
>
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Will wrote:
>> We are thinking of moving to a more secure authentication scheme using
>> fingerprint technology from digitalPersona. The digitalPersona
>> server-side product runs on each Active Directory server, and it requires
>> an
>> Active Directory schema expansion. Unfortunately, to try out their demo
>> you must do this expansion, and if you reject the product the schema
>> expansion cannot be undone.
>>
>> Is this something that should concern me, or are such schema expansions
>> likely to be harmless and have few unintended side-effects later?
>>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I am not sure I completely agree with that. There really isn't much harm in
adding attributes to an existing base class or using aux classes and then
dynamically (or if it applies to all objects of that class statically) adding
the aux class to the base class.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Ryan Hanisco wrote:
> Generally, it is recommended that you do an extension on a derivative class
> rather than doing this on one of the AD base classes. Talk with your vendor
> to see if this is an option.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Joe,

I find it a lot safer to make a derivative of Users to something like
Employees and then make changes to the derivative. At the very least, it may
be a good way to test extensions before all objects are modified.

You are right in that there aren't usually problems with this. Its just that
I work in banking and Fortune 500 clients and they have surprisingly little
sense of humor for problems, so it is best to be 100% sure of something
before hitting production. Also, given the fact that the target audience is
people who are learning about schema extensions or doing them for the first
time, I wouldn't want to encourage extension of live objects if the
alternative isn't specifically difficult.

I hope that makes a bit of sense and better frames that response. You'll
find support for that position in both the WROX and Microsoft ADSI books,
although common practice may have changed in the last few years.


--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:427BDA6F.5020301@hotmail.com...
>I am not sure I completely agree with that. There really isn't much harm in
>adding attributes to an existing base class or using aux classes and then
>dynamically (or if it applies to all objects of that class statically)
>adding the aux class to the base class.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Ryan Hanisco wrote:
>> Generally, it is recommended that you do an extension on a derivative
>> class rather than doing this on one of the AD base classes. Talk with
>> your vendor to see if this is an option.
>>