Thanks Robbie, Gil, and Alan for your replies...I was leaning toward extending rather than 'shoehorning' for exactly those reasons. Two more 'best practice' questions:
1. Generating a schemaIDGUID - I could use uuidgen.exe to create one, or I could just leave it blank and let the system create one in the test forest, then use that one in the LDIF file I use to extend the integration and production forests. Is one approach preferred ? I doubt that we'll ever need to ship these extensions outside the company, but I want a consistent, repeatable process for any future extensions. 2. Is there any need to register our prefix and IANA-assigned OID with Microsoft if we're not planning to get the 'Certified for Windows 2000' logo for our apps ? Dave -----Original Message----- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2003 10:06 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add attributes or use existing ExtensionAttribute s ? I agree that if given a choice, create your own schema extensions over trying to shoe-horn existing ones. Alan makes a good point about shared schemas and how they can easily get you into trouble and make things more confusing. As far as the cost goes, there are a lot of variables. If you are talking about the price of simply extending the schema, at least at Cisco that is pretty low. Test them in a VMWare forest, test them in dev, and implement in prod. With prod the main issue is if you are indexing a lot of new attributes or are adding to the partial attribute set (PAS) used for the Global Catalog. Either of those can generate a lot more work babysitting your DCs depending on your environment (i.e. size of your DIT, number of DCs, etc). For us, the biggest cost is dealing with the application teams and vendors. Making sure their schema extensions are sound, trying to understand their needs and determining how they will manage the data has been much more expensive. Robbie Allen > -----Original Message----- > From: Isham, Alan A [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 05, 2003 7:18 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Add attributes or use existing > ExtensionAttribute s ? > > > Similarly, Intel executes a virtual forest schema expansion test > procedure before going live with any schema change. However, I must > counter Gil's comment regarding 'the cost of extending the schema is > low' because our last 'minor' schema expansion in November 2002 was > billed at 325 man hours (~$20,000). Apparently, we are following Mr. > Grove's creed -- only the paranoid survive -- a little too > near and dear > to our hearts. > > In addition, to the virtual forest schema expansion test procedure and > cost of schema change, I do support Gil's recommendation regarding > expand the schema versus using an existing attribute that will kinda, > sorta work. Early in Windows 2000 deployment, Intel borrowed many > existing attributes for kinda, sorta worker content that now makes no > sense. For example, a worker's campus code is stored in "PO > Box" which > may make sense to the original architects of the Windows 2000 Active > Directory Program Team, but the programmer who is making the > switch from > SQL to AD with ADSI has no clue without a detailed data dictionary. > Believe me, I totally regret using kinda, sorta attributes and would > rather make the man hour investment into expanding the schema > from here > on out. > > Good day! > -alan > > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 05, 2003 1:15 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Add attributes or use existing > ExtensionAttribute s ? > > > Hi David, > > My $.02, I would go ahead and extend the schema in all cases. There's > too > much risk of different applications attempting to use the extension > attributes for different purposes. The cost of extending the schema is > low, > you just need to make sure that when you extend it that the > extension is > exactly what you want. > > Its imperative to test the extension in a test forest with the > applications > that use it before you extend the production forest. Having a > couple of > different people eyeball the change before you make it (schema review > board > or some such) is good too, but I think testing is the most important. > > Robbie Allen has some good perspective on schema extensions; > he might be > able to chime in on this. One thing they do at Cisco that is > pretty cool > is > that they use VMWare to set up a small test forest, save the image > files, > extend the schema and test the apps, and if they need to redo > the schema > extension, they just revert to the saved VM images. Pretty painless. > > -gil > > -----Original Message----- > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 05, 2003 1:37 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Add attributes or use existing > ExtensionAttributes > ? > > > We've gotten by so far (2 years plus) without making any > 'custom' schema > changes to our forest - only changes have been due to E2K. > > We now have a need to store some company-specific user > attributes (some > codes regarding each person's place in the organization that > are defined > in > our payroll system). These codes are also used by some areas besides > payroll, because they are a useful way to determine which labor group > the > person is part of. As such, they are a known commodity > across multiple > business areas. There are no existing, unused attributes > defined in the > schema that neatly map to these values. > > I know I can just arbitrarily designate some of the built-in Extension > Attributes to hold this data (ExtensionAttribute1, > ExtensionAttribute2, > etc.) and publish this fact to the developers that need to know. I > could > also extend the schema by creating new attributes, which I > would assign > to > an auxiliary class and attach the auxiliary class to the User > class. I > know > how to do this, and we do have a base OID assigned for our > company. We > built a schema modification policy as part of our migration to AD, but > have > never had to use it. > > My question is, what criteria do you folks use to determine whether to > use > an existing extension attribute versus creating your own custom > attribute ? > > Dave > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
