Title: RE: [ActiveDir] Extending the schema
...what joe said, but also test the app thoroughly and
document its issues so that you can then perform a CYA job back to those asking
for the product and to your own boss :)
This is par for the course in the world of IT - we are
often forced to deploy cr** and all we can do to mitigate the situation is
to document our misgivings. At least if the whole thing blows up in your face,
you can point to a doc or email and state 'told you so' :)
neil
I do not have first hand experience with it but have
been speaking to some very trusted friends who have been trying to implement it
and pretty much anything they say I would take as if I saw it myself. From what
I hear there are some "odd" ACEs added to the ACLs (I believe at the NC Head
level) that make no sense but are required or you can't install LCS Servers. I
believe specifically there is something with a property set that is absolutely
worthless (I don't recall the details now). Also you can't substitute the ACEs,
you must have the exact ACEs in place that the LCS prep puts into place. That
means they aren't checking access rights, they are scanning the ACL looking for
a specific ACE which ranks up there with some of the worst things I have seen
out of any AD enabled app. This isn't very unusual for Exchange related
stuff. The Exchange folks don't seem to really know how to use AD properly
and LCS came from Exchange folks and has Exchange Dev all over it. Exchange
itself had some very odd delegations that had to be made in the early E2K
timeframe that I ran into and bugged that was absolutely meaningless as well if
you were trying to delegate minimal permissions. I recall there was one
delegation of an attribute that only existed on some config container objects
but needed to be applied to users or else the GUI tools wouldn't work.
Completely assinine stuff. I guess they are hitting the same crap with
LCS.
To add even more pain, the MCS guy that my friends have
been working with has been just a hair above useless for the whole thing so
probably better to sit down and work it out yourself than contract MCS to come
in and help out. I have personal experience with the specific MCS person and I
am not entirely surprised though this is just one more area where he is
supposed to be knowledgeable and this customer is so large that you would expect
MCS wouldn't be dumb and send in someone who isn't pretty good with the
product.
Basically, if you are being forced to use it, you don't
have much choice, lube up and go for it. If you do have a choice, go through the
product with a fine tooth comb in the lab and document all of the crap and then
complain to MS. Possibly if enough people tell them that the functionality isn't
good enough to deal with a shitty implementation they might get a clue. Most
likely it has gone as far as it has is because most people don't have a clue
what they are doing when they are installing things and assume anything out of
MS will be done correctly and never verify the changes made in the directory and
how much sense they may or may not make.
Oh another thing, there is some global group
requirement built into LCS for admining the product, from what I heard you have
NO CHOICE but to use global groups. This is yet another product that
demonstrates that just because it came out of MS doesn't mean it is good or
should just be implemented.
joe
Do you have any specific
examples of the domain-wide ACLs I can keep an eye out for? Unfortunately
we don't have much say in this, the 'powers that be' want it implemented, and
quickly.
From: [EMAIL PROTECTED] on
behalf of Lee, Wook
Sent: Tue 4/11/2006 7:01 PM
To:
[email protected]
Subject: RE: [ActiveDir] Extending the
schema
IMHO, LCS puts its configuration system objects in the wrong
place, i.e.
the system container in the root domain NC. It really should put
those
types of objects in the configuration NC. It also does a lot
of
domain-wide ACLs especially if you have a lot of domain. There
are
configurations that help to moderate this but putting LCS in a
large
complex forest would be more trouble than it's worth to me. I did it
in
a 4-domain forest and I didn't like it. It works, but I don't like it.
I
would recommend a resource forest implementation, but then again,
that's
just me. :)
Wook
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Tuesday, April 11, 2006 4:11 PM
To:
[email protected]
Subject: RE: [ActiveDir] Extending the
schema
My personal opinion is you don't put anything into your
production
schema
that you aren't going to really use regardless of what
DCs you have.
Especially test LCS, I have heard nothing but bad things
about its
implementation.
--
O'Reilly Active Directory Third
Edition -
http://www.joeware.net/win/ad3e.htm
-----Original
Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Rimmerman, Russ
Sent: Tuesday, April 11, 2006 6:59 PM
To:
[email protected]
Subject: [ActiveDir] Extending the
schema
We're a native win2k domain and are a few DC upgrades away from
going to
2003 native mode.
We're evaluating Live Communications
Server, Sharepoint, Biztalk, etc,
etc.
Is there any negatives
involved in extending the schema if there's a
possibility we may scrap these
projects all together or is it not such a
bad
thing like it once was
thought to be?
Thanks
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
