Question on Active Directory Schema Expansion

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We are thinking of moving to a more secure authentication scheme using
fingerprint technology from digitalPersona. The digitalPersona
server-side product runs on each Active Directory server, and it requires an
Active Directory schema expansion. Unfortunately, to try out their demo
you must do this expansion, and if you reject the product the schema
expansion cannot be undone.

Is this something that should concern me, or are such schema expansions
likely to be harmless and have few unintended side-effects later?

--
Will
5 answers Last reply
More about question active directory schema expansion
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Generally you're ok with stuff like this as they have thoroughly tested
    their extensions. If it is truly an extension and not a modification you
    should be OK.

    HOWEVER...

    I would strongly suggest doing this in a test environment. You never want
    to use your production systems as a test or as a tech Toyland.

    --
    Ryan Hanisco
    MCSE, MCDBA
    FlagShip Integration Services
    Chicago, IL

    "Will" <DELETE_westes@earthbroadcast.com> wrote in message
    news:OreHWMQTFHA.3188@TK2MSFTNGP09.phx.gbl...
    > We are thinking of moving to a more secure authentication scheme using
    > fingerprint technology from digitalPersona. The digitalPersona
    > server-side product runs on each Active Directory server, and it requires
    > an
    > Active Directory schema expansion. Unfortunately, to try out their demo
    > you must do this expansion, and if you reject the product the schema
    > expansion cannot be undone.
    >
    > Is this something that should concern me, or are such schema expansions
    > likely to be harmless and have few unintended side-effects later?
    >
    > --
    > Will
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You absolutely need to be concerned about schema updates. The newsgroups and
    corporations have lots of stories of people being screwed over by poor Schema
    extensions.

    You will want to check the schema updates for properly registered OIDs and
    LinkIDs and schema name prefixs, etc. If you want, post the LDIF file use for
    the extension to the newsgroup and people can look it over to see if they see
    something that could cause an issue now or later.

    At the very least, you should test the schema updates in test and QA environments.


    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Will wrote:
    > We are thinking of moving to a more secure authentication scheme using
    > fingerprint technology from digitalPersona. The digitalPersona
    > server-side product runs on each Active Directory server, and it requires an
    > Active Directory schema expansion. Unfortunately, to try out their demo
    > you must do this expansion, and if you reject the product the schema
    > expansion cannot be undone.
    >
    > Is this something that should concern me, or are such schema expansions
    > likely to be harmless and have few unintended side-effects later?
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Generally, it is recommended that you do an extension on a derivative class
    rather than doing this on one of the AD base classes. Talk with your vendor
    to see if this is an option.

    --
    Ryan Hanisco
    MCSE, MCDBA
    FlagShip Integration Services
    Chicago, IL

    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:eeu3NvSTFHA.2096@TK2MSFTNGP14.phx.gbl...
    > You absolutely need to be concerned about schema updates. The newsgroups
    > and corporations have lots of stories of people being screwed over by poor
    > Schema extensions.
    >
    > You will want to check the schema updates for properly registered OIDs and
    > LinkIDs and schema name prefixs, etc. If you want, post the LDIF file use
    > for the extension to the newsgroup and people can look it over to see if
    > they see something that could cause an issue now or later.
    >
    > At the very least, you should test the schema updates in test and QA
    > environments.
    >
    >
    > joe
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Will wrote:
    >> We are thinking of moving to a more secure authentication scheme using
    >> fingerprint technology from digitalPersona. The digitalPersona
    >> server-side product runs on each Active Directory server, and it requires
    >> an
    >> Active Directory schema expansion. Unfortunately, to try out their demo
    >> you must do this expansion, and if you reject the product the schema
    >> expansion cannot be undone.
    >>
    >> Is this something that should concern me, or are such schema expansions
    >> likely to be harmless and have few unintended side-effects later?
    >>
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I am not sure I completely agree with that. There really isn't much harm in
    adding attributes to an existing base class or using aux classes and then
    dynamically (or if it applies to all objects of that class statically) adding
    the aux class to the base class.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Ryan Hanisco wrote:
    > Generally, it is recommended that you do an extension on a derivative class
    > rather than doing this on one of the AD base classes. Talk with your vendor
    > to see if this is an option.
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Joe,

    I find it a lot safer to make a derivative of Users to something like
    Employees and then make changes to the derivative. At the very least, it may
    be a good way to test extensions before all objects are modified.

    You are right in that there aren't usually problems with this. Its just that
    I work in banking and Fortune 500 clients and they have surprisingly little
    sense of humor for problems, so it is best to be 100% sure of something
    before hitting production. Also, given the fact that the target audience is
    people who are learning about schema extensions or doing them for the first
    time, I wouldn't want to encourage extension of live objects if the
    alternative isn't specifically difficult.

    I hope that makes a bit of sense and better frames that response. You'll
    find support for that position in both the WROX and Microsoft ADSI books,
    although common practice may have changed in the last few years.


    --
    Ryan Hanisco
    MCSE, MCDBA
    FlagShip Integration Services
    Chicago, IL

    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:427BDA6F.5020301@hotmail.com...
    >I am not sure I completely agree with that. There really isn't much harm in
    >adding attributes to an existing base class or using aux classes and then
    >dynamically (or if it applies to all objects of that class statically)
    >adding the aux class to the base class.
    >
    > joe
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Ryan Hanisco wrote:
    >> Generally, it is recommended that you do an extension on a derivative
    >> class rather than doing this on one of the AD base classes. Talk with
    >> your vendor to see if this is an option.
    >>
Ask a new question

Read More

Active Directory Servers Windows