Guidelines for choosing the most appropriate store for directory information

Here are some guidelines to follow to choose the most appropriate store for placing directory information (usually requested as a schema extension, with additions of attributes and/or classes)

If a schema change is required for an enterprise-wide application, such as Exchange Server that has a major integration (effect’s most objects in the forest) and required interaction with security principals the change probably has to take place in the main forest. However, if the schema change is required for an application that a small population of the organization will use, You should determine whether deploying a such global change to satisfy the needs of this small population of the organization is warranted, in addition you should analyze whether the schema change is a long-term or short-term requirement, also if the data to be hosted in the directory is frequently changing, or is already hosted in a different format with in the forest,

You should consider an alternative directory store, such as a specific application directory using Active Directory Lightweight Directory Services (AD LDS) to support applications that depend on schema extensions that are not desirable in the AD DS directory— for one or more reasons such as schema extensions that only are useful to a single application or only required on a short-term basis.

The following table supports the process to determine the most appropriate directory information store for a particular application/schema extension.

 

Description

Points

A small population of the organization will benefit/use the schema extension, less than 40% 2 points
Schema extension are deployed on short-term basis, application/system lifecycle equal to/or less than 2 years 2 points
Schema extension will host data already available in AD DS 8 points
Schema extension will store more than 256k on a single object 3 points
Schema extension will introduce none-optimizeable LDAP queries 4 points
Schema extension OIDs can’t be verified 12 points

If the schema extension qualifies for more than 3 points above, I advised to choose Active Directory Lightweight Directory Services (AD LDS) as the directory information store over Active Directory Domain Services (AD DS).

Identity Management Strategy Ideas

I recommend most customers to implement an identity Life-Cycle Management process to provision and de-provision identities where those identities and it’s associated data on a best effor will automatically flow in from an authoritative data source with the ability for approved managers to use an manual process to fill in missing data (there is usally no way to fully automate all scenarios in large enterprises) in existing identities or request new ones outside the automated flow. I also believes that providing Self-Service into the flow, so that end-users can complement any missing data will enhance the overall identity quality. 

 

Here is some general ideas and recommendations :

 

·        FTE – Full Time Employees. On best effort HR-driven provision and de-provision with the ability for approved managers to request an identity before it becomes available in the HR system, once the identity appear in the HR system it will merge with the one requested on forehand by the manager.

FTE’s should be able to some extent modify/correct the data about their own identity(s) using a Self-Service Portal, such as adding a cell-phone number. Security mechanisms, compliance management and approved managers should have the ability to quarantine identities and keep them on hold.

The de-provisioning process should be HR-driven and identities should be archived up on unemployment so that tracking possibilities remain and approved managers should be able to access/transfer remaining work associated with the identity(s).

 

·        Vendors and Contractors. On best effort Sponsor-driven provisioning and de-provisioning where the sponsor (the person responsible for contracting the vendor/contractor) approves and provide a central repository with required information for external users, the end date for the contract should also be defined.

Vendors and Contractors should have limited access to modify/correct the data about their own identity(s) using a Self-Service Portal, such as perform a reset of their passwords, Security mechanisms, compliance management and the sponsor should have the ability to quarantine identities and keep them on hold.

The de-provisioning process should be Sponsor-driven and/or expire date-driven, identities should be archived so that tracking possibilities remain and the sponsor should be able to access/transfer remaining work associated with the identity(s).
 

 

·        Temporary Accounts. Temporary accounts should be provisioned by approved managers which are required to provide a central repository with required information about the identity that will gain temporary access, defining an end date for the temporary account should be required.

Temporary Accounts should not have access to modify data using a Self-Service Portal, Security mechanisms, Compliance management and the managers should have the ability to quarantine identities and keep them on hold.

The de-provisioning process should be expire date-driven, identities should be archived so that tracking possibilities remain and approved managers should be able to access/transfer remaining work associated with the identity(s).

 

 

·        Administrative Accounts. Administrative Accounts Administrative Accounts should be driven by an already existing identity that controls provisioning and de-provisioning where an approved manager after that the identity has been validated either by a board or/and in conjunction with security responsibilities approves and provide a central repository with required information for an administrative account.

Administrative Accounts should have limited access to modify/correct the data about their own identity(s) using a Self-Service Portal, such as perform a reset of their passwords, Security mechanisms, compliance management and approved managers should have the ability to quarantine identities and keep them on hold.

The de-provisioning process should be driven by an already existing (regular) identity and/or expire date-driven, identities should be archived so that tracking possibilities remain and approved managers should be able to access/transfer remaining work associated with the identity(s).

Active Directory Migration Tool version 3.2 (ADMT v3.2) has been released


ADMT v3.2 has finally been released to the public; I’m currently involved in a migration project where we consolidate over 70+ forests to one corporate forest running Windows Server 2008 R2 and one of the main benefits with version 3.2 is the support for Windows Server 2008 R2


About ADMT 3.2

 

ADMT v3.2 is an out-of-band tool available as a free download (in 8 languages: English, Chinese (Simplified and Traditional), French, German, Japanese, Portuguese, and Spanish) to enable customers to deploy Active Directory in the following scenarios:

 

        Migration of Active Directory data from one environment to another. ADMT 3.2 specifically supports migration to Windows Server 2008 R2 with added support for Managed Service Accounts.

 

        Restructuring of Active Directory environment due to mergers, acquisitions, divestitures, consolidations, etc.

 

 

 

From the download page:

 

 

 

Overview

 

The Active Directory Migration Tool version 3.2 (ADMT v3.2) simplifies the process of migrating objects and restructuring tasks in an Active Directory® Domain Service (AD DS) environment. You can use ADMT v3.2 to migrate users, groups, service accounts, and computers between AD DS domains in different forests (inter-forest migration) or between AD DS domains in the same forest (intra-forest migration). ADMT can also perform security translation (to migrate local user profiles) when performing inter-forest migrations.

 

 

 

System Requirements

 

·        Supported Operating Systems: Windows Server 2008 R2

 

·        ADMT can be installed on any computer capable of running the Windows Server 2008 R2 operating system, unless they are Read-Only domain controllers or in a Server Core configuration.

 

·        Target domain: The target domain must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2

 

·        Source domain: The source domain must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2

 

·        The ADMT agent, installed by ADMT on computers in the source domains, can operate on computers running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

 

 

You can download ADMT v3.2 here