| Author | Messages | |
AD000001290
Posts:0
 | | 09/23/2005 4:24 AM |
| Resent due to issues - apologies if this appears twice :)
I'm looking for some schema design best practices, based upon experience.
For example:
Are there additional attributes which you would suggest be:
indexed
added to the PAS
replicated when a user is duplicated
indexed for containerised searches?
Are there classes to which you would add other attributes? (e.g. add managedBy to User)
I'm also interested to hear views regarding Schema mods and how they should be performed in a controlled fashion (lag sites etc).
I have my own views on all of the above but am keen to hear the views of others.
Thanks,
neil
___________________________
Neil Ruston
Global Technical Infrastructure
Nomura International plc
Telephone: +44 (0) 20 7521 3481
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001290
Posts:0
| | 09/27/2005 1:07 AM |
| Thanks joe - I appreciate the feedback. We're certainly on the same wavelength :)
Could you expand a little on the below comment please? I appreciate that w2k3 sp1 added sidhistory to the list of attributes whose data is retained when an object is reanimated but I was not aware that extra attributes could be added to this list(?)
"Preserve on tombstone - load this baby up, makes undeletes more useful"
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 23 September 2005 17:13
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Additional attibute to index - objectClass and company specific mods
Add to the PAS - Usually company specific items
Copied when object is copied - none, don't recommend using ADUC for anything
other than small orgs
Container index - would depend on whether you do a lot of one level searches
for something, overall, I don't believe I have seen much call for this.
Preserve on tombstone - load this baby up, makes undeletes more useful
ManagedBy applied to users, good idea. I think I would consider a whole
suite of object lifecycle management additions though as well. Last
reviewed, next review (in case of special items not reviewed on normal
schedule), where it is in the lifecycle process , etc.
For schema mods, drop schema fsmo in isolated site (i.e. not replicating
often), make changes. If they look good, move another DC into the site and
watch it replicate across and doublecheck for issues again. If that is good,
open up replication to site or drag DCs back to main sites. If you have a
large environment, drag to different far removed sites so that your updates
can start propogating out from multiple locations, puttin a DC in a site
that it doesn't have high connectivity to for the short period of time to
replicate in schema mods shouldn't be too troublesome.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 9:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Schema design best practices
I'm looking for some schema design best practices, based upon experience.
For example:
Are there additional attributes which you would suggest be:
indexed
added to the PAS
replicated when a user is duplicated
indexed for containerised searches?
Are there classes to which you would add other attributes? (e.g. add
managedBy to User)
I'm also interested to hear views regarding Schema mods and how they should
be performed in a controlled fashion (lag sites etc).
I have my own views on all of the above but am keen to hear the views of
others.
Thanks,
neil
> ___________________________
> Neil Ruston
> Global Technical Infrastructure
> Nomura International plc
> Telephone: +44 (0) 20 7521 3481
>
>
>
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:824
| | 09/27/2005 2:26 AM |
| Yep, you can add additional attributes to it. Some of them won't work, say
like memberof or other linked attributes and pwdLastSetΏ] and possibly some
other SAM Account management attributes.
You need to set the proper searchflags value, specifically Bit 3, value 0x8.
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
schema/a_searchflags.asp
joe
Ώ] More accurately, it would be preserved but gets set to 0 on recovery
anyway for some reason even when you mark passwords to be recovered.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, September 27, 2005 9:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Thanks joe - I appreciate the feedback. We're certainly on the same
wavelength :)
Could you expand a little on the below comment please? I appreciate that
w2k3 sp1 added sidhistory to the list of attributes whose data is retained
when an object is reanimated but I was not aware that extra attributes could
be added to this list(?)
"Preserve on tombstone - load this baby up, makes undeletes more useful"
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 23 September 2005 17:13
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Additional attibute to index - objectClass and company specific mods
Add to the PAS - Usually company specific items
Copied when object is copied - none, don't recommend using ADUC for anything
other than small orgs
Container index - would depend on whether you do a lot of one level searches
for something, overall, I don't believe I have seen much call for this.
Preserve on tombstone - load this baby up, makes undeletes more useful
ManagedBy applied to users, good idea. I think I would consider a whole
suite of object lifecycle management additions though as well. Last
reviewed, next review (in case of special items not reviewed on normal
schedule), where it is in the lifecycle process , etc.
For schema mods, drop schema fsmo in isolated site (i.e. not replicating
often), make changes. If they look good, move another DC into the site and
watch it replicate across and doublecheck for issues again. If that is good,
open up replication to site or drag DCs back to main sites. If you have a
large environment, drag to different far removed sites so that your updates
can start propogating out from multiple locations, puttin a DC in a site
that it doesn't have high connectivity to for the short period of time to
replicate in schema mods shouldn't be too troublesome.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 9:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Schema design best practices
I'm looking for some schema design best practices, based upon experience.
For example:
Are there additional attributes which you would suggest be:
indexed
added to the PAS
replicated when a user is duplicated
indexed for containerised searches?
Are there classes to which you would add other attributes? (e.g. add
managedBy to User)
I'm also interested to hear views regarding Schema mods and how they should
be performed in a controlled fashion (lag sites etc).
I have my own views on all of the above but am keen to hear the views of
others.
Thanks,
neil
> ___________________________
> Neil Ruston
> Global Technical Infrastructure
> Nomura International plc
> Telephone: +44 (0) 20 7521 3481
>
>
>
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001290
Posts:0
| | 09/27/2005 2:37 AM |
| Ok, I had that info but thought you were suggesting there was a 'friendly' interface to this :)
Thanks again,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 27 September 2005 15:25
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Yep, you can add additional attributes to it. Some of them won't work, say
like memberof or other linked attributes and pwdLastSetΏ] and possibly some
other SAM Account management attributes.
You need to set the proper searchflags value, specifically Bit 3, value 0x8.
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
schema/a_searchflags.asp
joe
Ώ] More accurately, it would be preserved but gets set to 0 on recovery
anyway for some reason even when you mark passwords to be recovered.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, September 27, 2005 9:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Thanks joe - I appreciate the feedback. We're certainly on the same
wavelength :)
Could you expand a little on the below comment please? I appreciate that
w2k3 sp1 added sidhistory to the list of attributes whose data is retained
when an object is reanimated but I was not aware that extra attributes could
be added to this list(?)
"Preserve on tombstone - load this baby up, makes undeletes more useful"
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 23 September 2005 17:13
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Additional attibute to index - objectClass and company specific mods
Add to the PAS - Usually company specific items
Copied when object is copied - none, don't recommend using ADUC for anything
other than small orgs
Container index - would depend on whether you do a lot of one level searches
for something, overall, I don't believe I have seen much call for this.
Preserve on tombstone - load this baby up, makes undeletes more useful
ManagedBy applied to users, good idea. I think I would consider a whole
suite of object lifecycle management additions though as well. Last
reviewed, next review (in case of special items not reviewed on normal
schedule), where it is in the lifecycle process , etc.
For schema mods, drop schema fsmo in isolated site (i.e. not replicating
often), make changes. If they look good, move another DC into the site and
watch it replicate across and doublecheck for issues again. If that is good,
open up replication to site or drag DCs back to main sites. If you have a
large environment, drag to different far removed sites so that your updates
can start propogating out from multiple locations, puttin a DC in a site
that it doesn't have high connectivity to for the short period of time to
replicate in schema mods shouldn't be too troublesome.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 9:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Schema design best practices
I'm looking for some schema design best practices, based upon experience.
For example:
Are there additional attributes which you would suggest be:
indexed
added to the PAS
replicated when a user is duplicated
indexed for containerised searches?
Are there classes to which you would add other attributes? (e.g. add
managedBy to User)
I'm also interested to hear views regarding Schema mods and how they should
be performed in a controlled fashion (lag sites etc).
I have my own views on all of the above but am keen to hear the views of
others.
Thanks,
neil
> ___________________________
> Neil Ruston
> Global Technical Infrastructure
> Nomura International plc
> Telephone: +44 (0) 20 7521 3481
>
>
>
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:824
| | 09/27/2005 3:04 AM |
| Personally, I use admod, good interface I think. The worst part is currently
you have to manually figure out what the searchflags value needs to be.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, September 27, 2005 10:36 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Ok, I had that info but thought you were suggesting there was a 'friendly'
interface to this :)
Thanks again,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 27 September 2005 15:25
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Yep, you can add additional attributes to it. Some of them won't work, say
like memberof or other linked attributes and pwdLastSetΏ] and possibly some
other SAM Account management attributes.
You need to set the proper searchflags value, specifically Bit 3, value 0x8.
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
schema/a_searchflags.asp
joe
Ώ] More accurately, it would be preserved but gets set to 0 on recovery
anyway for some reason even when you mark passwords to be recovered.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, September 27, 2005 9:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Thanks joe - I appreciate the feedback. We're certainly on the same
wavelength :)
Could you expand a little on the below comment please? I appreciate that
w2k3 sp1 added sidhistory to the list of attributes whose data is retained
when an object is reanimated but I was not aware that extra attributes could
be added to this list(?)
"Preserve on tombstone - load this baby up, makes undeletes more useful"
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 23 September 2005 17:13
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Additional attibute to index - objectClass and company specific mods
Add to the PAS - Usually company specific items
Copied when object is copied - none, don't recommend using ADUC for anything
other than small orgs
Container index - would depend on whether you do a lot of one level searches
for something, overall, I don't believe I have seen much call for this.
Preserve on tombstone - load this baby up, makes undeletes more useful
ManagedBy applied to users, good idea. I think I would consider a whole
suite of object lifecycle management additions though as well. Last
reviewed, next review (in case of special items not reviewed on normal
schedule), where it is in the lifecycle process , etc.
For schema mods, drop schema fsmo in isolated site (i.e. not replicating
often), make changes. If they look good, move another DC into the site and
watch it replicate across and doublecheck for issues again. If that is good,
open up replication to site or drag DCs back to main sites. If you have a
large environment, drag to different far removed sites so that your updates
can start propogating out from multiple locations, puttin a DC in a site
that it doesn't have high connectivity to for the short period of time to
replicate in schema mods shouldn't be too troublesome.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 9:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Schema design best practices
I'm looking for some schema design best practices, based upon experience.
For example:
Are there additional attributes which you would suggest be:
indexed
added to the PAS
replicated when a user is duplicated
indexed for containerised searches?
Are there classes to which you would add other attributes? (e.g. add
managedBy to User)
I'm also interested to hear views regarding Schema mods and how they should
be performed in a controlled fashion (lag sites etc).
I have my own views on all of the above but am keen to hear the views of
others.
Thanks,
neil
> ___________________________
> Neil Ruston
> Global Technical Infrastructure
> Nomura International plc
> Telephone: +44 (0) 20 7521 3481
>
>
>
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| GuidoG
Posts:114
| | 09/27/2005 7:26 AM |
| I'd say that adding more attributes to the tombstone sort of depends on
your overall recovery strategy. If you plan to recover objects via
tombstones, you need to take care of certain data that you can't recover
anyways (as mentioned, the member/memberOf links or any other links like
manager/directReports etc.). You need to save these offline by other
means anyways (e.g. tools such as NetPro's RestoreADmin or Quest's AD
Recovery manager) and then populate them back on the objects after you
have reanmiated an object. And if you use the normal auth. restore
approach, the attributes in the tombstones don't matter at all.
So I typically concentrate on adding those attributes to the tombstones,
which I can't recover after tombstone reanimation from an offline store
(such as password and sidhistory). Ok, sidhistory was now added in SP1
(although this is per SP1 server - a non-SP1 or Win2000 server won't
retain the sidhistory attribute, unless you so specify in the schema via
the searchflags for sidhistory attribute).
In summary, thing about your overall recovery strategy, then make a
decision on which attribute to add to the list of those kept with the
tombstone objects.
/Guido
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Dienstag, 27. September 2005 16:25
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Yep, you can add additional attributes to it. Some of them won't work,
say
like memberof or other linked attributes and pwdLastSetΏ] and possibly
some
other SAM Account management attributes.
You need to set the proper searchflags value, specifically Bit 3, value
0x8.
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschem
a/ad
schema/a_searchflags.asp
joe
Ώ] More accurately, it would be preserved but gets set to 0 on recovery
anyway for some reason even when you mark passwords to be recovered.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, September 27, 2005 9:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Thanks joe - I appreciate the feedback. We're certainly on the same
wavelength :)
Could you expand a little on the below comment please? I appreciate that
w2k3 sp1 added sidhistory to the list of attributes whose data is
retained
when an object is reanimated but I was not aware that extra attributes
could
be added to this list(?)
"Preserve on tombstone - load this baby up, makes undeletes more useful"
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 23 September 2005 17:13
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Additional attibute to index - objectClass and company specific mods
Add to the PAS - Usually company specific items
Copied when object is copied - none, don't recommend using ADUC for
anything
other than small orgs
Container index - would depend on whether you do a lot of one level
searches
for something, overall, I don't believe I have seen much call for this.
Preserve on tombstone - load this baby up, makes undeletes more useful
ManagedBy applied to users, good idea. I think I would consider a whole
suite of object lifecycle management additions though as well. Last
reviewed, next review (in case of special items not reviewed on normal
schedule), where it is in the lifecycle process , etc.
For schema mods, drop schema fsmo in isolated site (i.e. not replicating
often), make changes. If they look good, move another DC into the site
and
watch it replicate across and doublecheck for issues again. If that is
good,
open up replication to site or drag DCs back to main sites. If you have
a
large environment, drag to different far removed sites so that your
updates
can start propogating out from multiple locations, puttin a DC in a site
that it doesn't have high connectivity to for the short period of time
to
replicate in schema mods shouldn't be too troublesome.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 9:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Schema design best practices
I'm looking for some schema design best practices, based upon
experience.
For example:
Are there additional attributes which you would suggest be:
indexed
added to the PAS
replicated when a user is duplicated
indexed for containerised searches?
Are there classes to which you would add other attributes? (e.g. add
managedBy to User)
I'm also interested to hear views regarding Schema mods and how they
should
be performed in a controlled fashion (lag sites etc).
I have my own views on all of the above but am keen to hear the views of
others.
Thanks,
neil
> ___________________________
> Neil Ruston
> Global Technical Infrastructure
> Nomura International plc
> Telephone: +44 (0) 20 7521 3481
>
>
>
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in England
no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in England
no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| alainlissoir
Posts:0
| | 09/28/2005 2:06 AM |
| If you go on http://www.lissware.net, you will find:
Two pointers to two articles about AD schema design and mechanic.
You will also find a White Paper for WSH and ASDI under Windows 2000 (but
still valid for 2003) where a script is screening the AD schema to get any
information you may want to know about attributes, classes, searches, index,
etc.
HTH
/Alain
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Tuesday, September 27, 2005 7:41 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Personally, I use admod, good interface I think. The worst part is currently
you have to manually figure out what the searchflags value needs to be.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, September 27, 2005 10:36 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Ok, I had that info but thought you were suggesting there was a 'friendly'
interface to this :)
Thanks again,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 27 September 2005 15:25
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Yep, you can add additional attributes to it. Some of them won't work, say
like memberof or other linked attributes and pwdLastSetΏ] and possibly some
other SAM Account management attributes.
You need to set the proper searchflags value, specifically Bit 3, value 0x8.
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
schema/a_searchflags.asp
joe
Ώ] More accurately, it would be preserved but gets set to 0 on recovery
anyway for some reason even when you mark passwords to be recovered.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, September 27, 2005 9:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Thanks joe - I appreciate the feedback. We're certainly on the same
wavelength :)
Could you expand a little on the below comment please? I appreciate that
w2k3 sp1 added sidhistory to the list of attributes whose data is retained
when an object is reanimated but I was not aware that extra attributes could
be added to this list(?)
"Preserve on tombstone - load this baby up, makes undeletes more useful"
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 23 September 2005 17:13
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Additional attibute to index - objectClass and company specific mods
Add to the PAS - Usually company specific items
Copied when object is copied - none, don't recommend using ADUC for anything
other than small orgs
Container index - would depend on whether you do a lot of one level searches
for something, overall, I don't believe I have seen much call for this.
Preserve on tombstone - load this baby up, makes undeletes more useful
ManagedBy applied to users, good idea. I think I would consider a whole
suite of object lifecycle management additions though as well. Last
reviewed, next review (in case of special items not reviewed on normal
schedule), where it is in the lifecycle process , etc.
For schema mods, drop schema fsmo in isolated site (i.e. not replicating
often), make changes. If they look good, move another DC into the site and
watch it replicate across and doublecheck for issues again. If that is good,
open up replication to site or drag DCs back to main sites. If you have a
large environment, drag to different far removed sites so that your updates
can start propogating out from multiple locations, puttin a DC in a site
that it doesn't have high connectivity to for the short period of time to
replicate in schema mods shouldn't be too troublesome.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 9:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Schema design best practices
I'm looking for some schema design best practices, based upon experience.
For example:
Are there additional attributes which you would suggest be:
indexed
added to the PAS
replicated when a user is duplicated
indexed for containerised searches?
Are there classes to which you would add other attributes? (e.g. add
managedBy to User)
I'm also interested to hear views regarding Schema mods and how they should
be performed in a controlled fashion (lag sites etc).
I have my own views on all of the above but am keen to hear the views of
others.
Thanks,
neil
> ___________________________
> Neil Ruston
> Global Technical Infrastructure
> Nomura International plc
> Telephone: +44 (0) 20 7521 3481
>
>
>
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001290
Posts:0
| | 09/28/2005 7:36 AM |
| Thanks Guido. You hit the nail on the head :)
I'm drafting a recovery plan that encompasses all aspects of AD recovery from the a single object up to recovery of the whole forest. However, I don't as yet have any concrete requirements from the business so thought it might be prudent to ask others of their experiences whilst I gather requirements.
I do however take your point that it's really down to my/our requirements and that they will drive the designs, ultimately.
I really appreciate the feedback from the likes of yourself - it's proved to be very useful.
thanks,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Grillenmeier,
Guido
Sent: 27 September 2005 20:22
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
I'd say that adding more attributes to the tombstone sort of depends on
your overall recovery strategy. If you plan to recover objects via
tombstones, you need to take care of certain data that you can't recover
anyways (as mentioned, the member/memberOf links or any other links like
manager/directReports etc.). You need to save these offline by other
means anyways (e.g. tools such as NetPro's RestoreADmin or Quest's AD
Recovery manager) and then populate them back on the objects after you
have reanmiated an object. And if you use the normal auth. restore
approach, the attributes in the tombstones don't matter at all.
So I typically concentrate on adding those attributes to the tombstones,
which I can't recover after tombstone reanimation from an offline store
(such as password and sidhistory). Ok, sidhistory was now added in SP1
(although this is per SP1 server - a non-SP1 or Win2000 server won't
retain the sidhistory attribute, unless you so specify in the schema via
the searchflags for sidhistory attribute).
In summary, thing about your overall recovery strategy, then make a
decision on which attribute to add to the list of those kept with the
tombstone objects.
/Guido
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Dienstag, 27. September 2005 16:25
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Yep, you can add additional attributes to it. Some of them won't work,
say
like memberof or other linked attributes and pwdLastSetΏ] and possibly
some
other SAM Account management attributes.
You need to set the proper searchflags value, specifically Bit 3, value
0x8.
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschem
a/ad
schema/a_searchflags.asp
joe
Ώ] More accurately, it would be preserved but gets set to 0 on recovery
anyway for some reason even when you mark passwords to be recovered.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, September 27, 2005 9:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Thanks joe - I appreciate the feedback. We're certainly on the same
wavelength :)
Could you expand a little on the below comment please? I appreciate that
w2k3 sp1 added sidhistory to the list of attributes whose data is
retained
when an object is reanimated but I was not aware that extra attributes
could
be added to this list(?)
"Preserve on tombstone - load this baby up, makes undeletes more useful"
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 23 September 2005 17:13
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Schema design best practices
Additional attibute to index - objectClass and company specific mods
Add to the PAS - Usually company specific items
Copied when object is copied - none, don't recommend using ADUC for
anything
other than small orgs
Container index - would depend on whether you do a lot of one level
searches
for something, overall, I don't believe I have seen much call for this.
Preserve on tombstone - load this baby up, makes undeletes more useful
ManagedBy applied to users, good idea. I think I would consider a whole
suite of object lifecycle management additions though as well. Last
reviewed, next review (in case of special items not reviewed on normal
schedule), where it is in the lifecycle process , etc.
For schema mods, drop schema fsmo in isolated site (i.e. not replicating
often), make changes. If they look good, move another DC into the site
and
watch it replicate across and doublecheck for issues again. If that is
good,
open up replication to site or drag DCs back to main sites. If you have
a
large environment, drag to different far removed sites so that your
updates
can start propogating out from multiple locations, puttin a DC in a site
that it doesn't have high connectivity to for the short period of time
to
replicate in schema mods shouldn't be too troublesome.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 9:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Schema design best practices
I'm looking for some schema design best practices, based upon
experience.
For example:
Are there additional attributes which you would suggest be:
indexed
added to the PAS
replicated when a user is duplicated
indexed for containerised searches?
Are there classes to which you would add other attributes? (e.g. add
managedBy to User)
I'm also interested to hear views regarding Schema mods and how they
should
be performed in a controlled fashion (lag sites etc).
I have my own views on all of the above but am keen to hear the views of
others.
Thanks,
neil
> ___________________________
> Neil Ruston
> Global Technical Infrastructure
> Nomura International plc
> Telephone: +44 (0) 20 7521 3481
>
>
>
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in England
no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in England
no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|