Hey Chuck, Having been down this road several times, both with eDir/NDS apps an AD apps, I can say positively that the service should not try to modify the schema itself. The schema extension can be provided as an optional part of the install process, but it also must be provided as an LDIF script.
Most well run IT shops have a structured process for making enterprise-scope changes to AD such as schema extensions. A schema change usually requires technical review (chich includes inspecting the LDIF script) and testing in a lab alongside the company's other applications, and then controlled and monitored deployment. Schema admin rights are frequently not granted to anyone (the Schema Admins group exist but has no members until a change actually needs to be made. No one will be willing to grant a service schema admin rights.... Its just too risky. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, September 23, 2005 7:30 AM To: [email protected] Subject: [ActiveDir] Applications that extend the schema... Given the # of variations that may exist in AD deployments, anywhere from a small business with a single forest/tree/domain all the way up to a large enterprise with multiple forests each containing multiple trees with each tree having numerous domains, there may be many differences of opinion on the part of administrators regarding schema extensions and applications the create them. I'm interested in hearing those opinions in regards to an enterprise type of resource provisioning application that will run primarily as a service under a specific domain account, with the caveat that the application does require some schema extensions in order to run properly. In particular, the question pertains to whether or not the main application should attempt to perform the schema extension work when it detects that they are not present, and if so, should it want/need to do so under it's own set of credentials used to perform the service logon by the service control manager when the service is started, or should the application's UI request an elevated set of credentials in order to perform the schema extension. Alternatively, should the schema extension be performed using an additional program provided with the application so that it would be relatively easy for an administrator to logon, run the schema extension tool, and then be done with their part so that the application's "owner" could continue with the installation & configuration of the application. I'm familiar with many of the issues in terms of Novell's eDirectory, but with AD there may be some other concerns due to differences in the two directory services and how they are implmented. It's the AD-specific concerns that interest me. TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice & voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 "Racing to save lives" The Leukemia & Lymphoma Society - Team in Training http://www.active.com/donate/tntsc/tntscCChopp Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
