Best Practices for Extending the Schema

1
Best Practices for Extending the Schema
Robbie Allen Senior Systems Architect Cisco
Systems
2
Extensible Schema is a feature!

• Active Directory was intended to be extended
• Law of Irreversible Changes
• Schema redefine helps in Win Server 2003
• Other impediments
• Can be a lot of work to test extensions
• Dreaded GC re-sync (resolved in Win Server 2003)
• Schema sharing can be problematic
• Application impact on the NOS
• Schema corruption is very rare in the wild
• Need well-defined schema extension process
• Avoid too much bureaucracy

3
Before You Extend the Schema

• Meet with vendor or application team
• Make sure data is a good fit for AD
• Determine where application data will go
• Determine application account security
  requirements
• Require LDIF files
• Determine if any attributes are added to the
  PAS or need to be indexed and assess impact
• Test extensions
• Several options
• Build a forest specifically for schema extension
  testing
• Use VMWare for quick rollback
• Use schema deletes to repeatedly test in a
  forest(W2K Pre-Sp3 Only)
• Document extensions (e.g. SchemaDoc)

4
Dealing with Vendors

• General issues to consider
• Is the vendor knowledgeable about AD?
• Does the product make good use of AD?
• Is the product evolving quickly?
• How dependent is the product on AD?
• Develop a questionnaire

5
Sample Questionnaire

• Class and Attribute Information
• What is the total number of attributes and
  classes to be injected?
• Do any attributes need to be indexed or added to
  the GC, and if so why?
• Are any default schema objects modified?
• Have the prefix, OID and organization information
  for the extensions been registered on Microsofts
  Certification web site?
• Data Management and Access
• How will objects utilizing the extended classes
  and attributes be managed and manipulated?
• Does the application work well in a multi-domain
  environment?
• What security settings are necessary to grant the
  application account(s) access to read or modify
  the data?
• Who are the users of the data and how will they
  access it?
• How volatile is the data?
• Can the total size of the data stored in Active
  Directory resulting from use of the extensions be
  estimated and projected (overall versus
  per-object)?
• How does the availability of Active Directory
  impact the availability of the application?
• How is the application configured to access
  Active Directory? Can it automatically locate a
  different DC if the one it was using becomes
  unavailable?
• Extension Injection
• Are LDIF files provided?
• What process is recommended to inject the
  extensions?
• How likely will new versions of the application
  result in further schema extensions? How often?

6
Extending the Schema

• Locate the Schema FSMO
• Enable Schema updates (not necessary in Win
  2003) HKLM\System\CurrentControlSet\Services\NTDS
  \Parameters\ Schema Update Allowed 1
• Inject schema extensions
• Warning LDIFDE can generate false negatives
• Allow time for the schema cache to update and
  for replication to occur

7
Designing Your Own Schema Extensions

• Getting started
• Adopt a naming convention
• company-Dept/Product-DescName
• Class cisco-IT-Employee
• Attribute cisco-IT-EmployeeBuilding
• Get a base OID
• Some best practices
• LDAP Display Name Common Name
• Avoid storing large blobs (use pointers instead)
• Use auxiliary classes to enhance existing object
  classes
• Specify possSuperiors for new structural classes
• Populate the description attribute
• Use LDIF files to populate extensions
• Register OID and prefix with Microsoft
• Populate the schemaIDGUID

8
Schema Tools

• Schema Mgmt Snap-in
• Basic schema management functions
• Available in adminpak.msi
• LDIFDE
• Import and export LDIF files
• Available on W2K Server, Win Server 2003
• Oidgen
• Generate a base OID using Microsofts namespace
• Available in W2K Resource Kit
• Uuidgen
• Generate schemaIDGUIDs
• Available in Platform SDK
• SchemaDoc
• Simple method for documenting schema extensions
• Available fromhttp//msdn.microsoft.com/library/
  en-us/dnactdir/html/schemadoc.asp

9
Schema Changes in Windows Server 2003

• Dynamic Auxiliary class support
• iNetOrgPerson class support
• Schema Redefine
• No more GC sync after PAS addition
• No longer need to set registry before extending
  the schema

10
Reference

• AD Schema Reference http//msdn.microsoft.com/l
  ibrary/en- us/adschema/adschema/active_direct
  ory_schema.asp
• AD Naming Registration http//msdn.microsoft.co
  m/certification/ad-registration.asp
• RFC 2849 - LDIF http//www.ietf.org/rfc/rfc2849
  .txt
• OID Reference http//www.alvestrand.no/objectid
  /
• ISO Member List http//www.iso.ch/iso/en/abouti
  so/isomembers/index.html

11
Discussion