I have to agree, separate LDIF files are the best way to go as they are easiest to QA and trouble shoot. Also makes it easy to script the building of a test AD rather than having to install the App that would make the changes which is a pain when you have a lot of schema mods to get through.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 25 September 2005 10:39 To: ActiveDir.org Subject: Re: [ActiveDir] Applications that extend the schema... In the event of Schema extensions that have gone wrong - the worst case scenario is a forest rebuild as the Schema Partition cannot be authoratively restored. That's the main reason for me performing Schema extensions in an isolated site and then opening up replication slowly. Mark -----Original Message----- From: "Roger Seielstad" <[EMAIL PROTECTED]> Date: Sat, 24 Sep 2005 12:11:55 To:<[email protected]> Subject: RE: [ActiveDir] Applications that extend the schema... Applications should never, and I mean NEVER, be trusted to auto update the schema as necessary. I'd expect schema modifications to be handled as a one off, quasi-interactive process. Quasi-interactive meaning a human logs in with an account holding the appropriate permissions and does the modification. -------- Roger Seielstad E-mail Geek -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, September 23, 2005 7:30 AM To: [email protected] Subject: [ActiveDir] Applications that extend the schema... Given the # of variations that may exist in AD deployments, anywhere from a small business with a single forest/tree/domain all the way up to a large enterprise with multiple forests each containing multiple trees with each tree having numerous domains, there may be many differences of opinion on the part of administrators regarding schema extensions and applications the create them. I'm interested in hearing those opinions in regards to an enterprise type of resource provisioning application that will run primarily as a service under a specific domain account, with the caveat that the application does require some schema extensions in order to run properly. In particular, the question pertains to whether or not the main application should attempt to perform the schema extension work when it detects that they are not present, and if so, should it want/need to do so under it's own set of credentials used to perform the service logon by the service control manager when the service is started, or should the application's UI request an elevated set of credentials in order to perform the schema extension. Alternatively, should the schema extension be performed using an additional program provided with the application so that it would be relatively easy for an administrator to logon, run the schema extension tool, and then be done with their part so that the application's "owner" could continue with the installation & configuration of the application. I'm familiar with many of the issues in terms of Novell's eDirectory, but with AD there may be some other concerns due to differences in the two directory services and how they are implmented. It's the AD-specific concerns that interest me. TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice & voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 "Racing to save lives" The Leukemia & Lymphoma Society - Team in Training http://www.active.com/donate/tntsc/tntscCChopp Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
