Similarly, Intel executes a virtual forest schema expansion test procedure before going live with any schema change. However, I must counter Gil's comment regarding 'the cost of extending the schema is low' because our last 'minor' schema expansion in November 2002 was billed at 325 man hours (~$20,000). Apparently, we are following Mr. Grove's creed -- only the paranoid survive -- a little too near and dear to our hearts.
In addition, to the virtual forest schema expansion test procedure and cost of schema change, I do support Gil's recommendation regarding expand the schema versus using an existing attribute that will kinda, sorta work. Early in Windows 2000 deployment, Intel borrowed many existing attributes for kinda, sorta worker content that now makes no sense. For example, a worker's campus code is stored in "PO Box" which may make sense to the original architects of the Windows 2000 Active Directory Program Team, but the programmer who is making the switch from SQL to AD with ADSI has no clue without a detailed data dictionary. Believe me, I totally regret using kinda, sorta attributes and would rather make the man hour investment into expanding the schema from here on out. Good day! -alan -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 1:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add attributes or use existing ExtensionAttribute s ? Hi David, My $.02, I would go ahead and extend the schema in all cases. There's too much risk of different applications attempting to use the extension attributes for different purposes. The cost of extending the schema is low, you just need to make sure that when you extend it that the extension is exactly what you want. Its imperative to test the extension in a test forest with the applications that use it before you extend the production forest. Having a couple of different people eyeball the change before you make it (schema review board or some such) is good too, but I think testing is the most important. Robbie Allen has some good perspective on schema extensions; he might be able to chime in on this. One thing they do at Cisco that is pretty cool is that they use VMWare to set up a small test forest, save the image files, extend the schema and test the apps, and if they need to redo the schema extension, they just revert to the saved VM images. Pretty painless. -gil -----Original Message----- From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 1:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Add attributes or use existing ExtensionAttributes ? We've gotten by so far (2 years plus) without making any 'custom' schema changes to our forest - only changes have been due to E2K. We now have a need to store some company-specific user attributes (some codes regarding each person's place in the organization that are defined in our payroll system). These codes are also used by some areas besides payroll, because they are a useful way to determine which labor group the person is part of. As such, they are a known commodity across multiple business areas. There are no existing, unused attributes defined in the schema that neatly map to these values. I know I can just arbitrarily designate some of the built-in Extension Attributes to hold this data (ExtensionAttribute1, ExtensionAttribute2, etc.) and publish this fact to the developers that need to know. I could also extend the schema by creating new attributes, which I would assign to an auxiliary class and attach the auxiliary class to the User class. I know how to do this, and we do have a base OID assigned for our company. We built a schema modification policy as part of our migration to AD, but have never had to use it. My question is, what criteria do you folks use to determine whether to use an existing extension attribute versus creating your own custom attribute ? Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
