I see what you're saying.
I think the answer would totally depend on the application and the application scope. If the application scope is the entire forest, then it should pull from the GC if the data it wants resides in the GC. If not, then it will have to pull from a DC in each domain.
A best practice in that case would be to be aware of the domains and the forest and find it's servers via name resolution vs. hard-coding any dc information. Outside of that, I don't think the vendor's necessarily wrong based on the information. To their argument, the data may not reside in the GC and therefore they would have to pull from each domain. If the data doesn't exist in the GC by default, they would have to instruct the clients to add information to the GC and I think that would be far worse because the impact would vary so widely.
Robert, when you weigh the answers to this, I think it would be a good idea to consider that the vendor has to write for more than one customer audience. It would not make a lot of sense for the vendor to put a lot of work into something that already works if they don't have to and if it doesn't cause issues. In this case, I think it doesn't cause issues becuase it sounds like it works. It sounds like the customer needs to consider their options and if they feel that they can't live with the vendor's methods, perhaps they should consider voting with the wallet. :)
On 6/12/06, Rob MOIR <[EMAIL PROTECTED]> wrote:
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED]] On Behalf Of Al Mulnick
> Sent: 12 June 2006 13:55
> To: [email protected]
> Subject: Re: [ActiveDir] AD integration
>
> Is there a best practice? For what? For making it work or for
> security purposes?
> JoeK has a book full of coding information. That might be of use.
For making it work. I'm trying to resolve a dispute between a supplier of a commercial product and a customer about whether or not the "connect to each domain in turn" method is a satisfactory model (Supplier says 'what's the problem', customer regards it as poor practice). I'm after a general idea of how people feel about this.
> As for a model, my personal advice is to ensure that the coder doesn't
> assume that the ldap data is static. For example, never assume that
> the items that aren't guaranteed to be unique will remain unique such
> as CN. In a multi-domain forest, the CN is not likely going to be
> unique unless additional steps have previously been taken. DN, RDN etc
> follow suit.
>
> As for more than one domain and pulling the data from domain at a time,
> well, that's up to the application. Is there a reason you only want it
> from one at a time that we should be aware of? Vs. say pulling
> information from a GC?
I personally would regard pulling info for the whole forest from a GC as the preferred model where applicable (and in this case it would work fine), I'm trying to find out how people feel about the other methods.
> WINNT code: yes it will still work depending on how you want to run it.
> But it won't allow you access to the GC, and it's going to have
> problems in multidomain models if the samaccountname is not unique
> across the domain boundaries.
>
> WINNT code is also legacy code and not guaranteed to work for future
> versions IIRC.
>
> Al
>
>
>
> On 6/12/06, Rob MOIR < [EMAIL PROTECTED]> wrote:
>
> Just a quick question. Is anyone aware of any "best practice"
> documentation of how a product ought to integrate with AD ( e.g.
> to pull
> out user data for its own use).
>
> Failing that, can anyone comment on what they think of a model
> that can
> only pull data out of one domain at a time so for a >1 domain
> forest
> needs to make a connection to each domain in turn, pull down that
> information and then load it into SQL server. Am I crazy in
> thinking
> that anyone following this model has probably just found out that
> their
> old NT4 domain integration code "kinda works" and did the bare
> minimum
> tidying up before halting any further work?
>
> --
> Robert Moir
> Microsoft MVP for Windows Servers & Security
> Senior IT Systems Engineer
> Luton Sixth Form College
> Right vs. Wrong | Good vs. Evil
> God vs. the devil | What side you on?
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
>
