Active Directory Schema Info

SafeWord® RemoteAccess™ follows Microsoft's best practices in the Active Directory schema

SafeWord RemoteAccess adds strong authentication to VPNs, RADIUS devices, Citrix® MetaFrame® applications, and Outlook Web Access, positively identifying these remote users. SafeWord RemoteAccess delivers security through one-time passcode-generating hardware tokens. Only the SafeWord server knows which passcode will allow the user to gain access, which eliminates threats from outsiders stealing, copying, or reusing passwords to gain unauthorized access.

SafeWord RemoteAccess is managed directly from Microsoft Active Directory, allowing administrators to easily manage tokens and users.

 

Schema extension recommendations

Some network administrators and IT staff members have expressed reluctance to install applications that extend the Active Directory schema, as evidenced in several online discussion groups. While the Microsoft knowledge base suggests using caution when making changes to the Active Directory schema, Microsoft expressly decrees that extending the AD schema is, in fact, encouraged to extend Active Directory definition (when done following Microsoft recommendations).

Microsoft recommends only using schema extensions that follow recommended "best practices." SafeWord RemoteAccess follows the Microsoft best practices list. The list, found at http://msdn2.microsoft.com/en-us/library/ms806972.aspx, includes the following guidelines for extending the schema.

 

Best practices include:

  • The schema is neither a database nor a file system. Don't treat it as such.
  • Place references in the directory that point to other data stores instead of using the directory for something for which it was not designed.
  • Only define globally interesting, relatively static information in the schema.
  • Objects defined in the schema should not be created very often or modified frequently.
  • Objects should have a long life.
  • Use twice the maximum replication frequency when determining longevity or frequency.
  • Test the application in a private forest and with other applications before deploying.
  • The schema upgrade must be separate from the application installation.

SafeWord RemoteAccess has followed the Microsoft recommendations to create the SafeWord RemoteAccess Active Directory extension.

 

Application requirements for shipping

Microsoft offers some caveats for schema extensions that ship with applications such as SafeWord RemoteAccess. These caveats have been followed: a separate install has been created for SafeWord RemoteAccess, and the following steps recommended by Microsoft have been implemented:

  • The application must use a registered prefix and base OID for each class and attribute.
  • The application must have a unique schemaIDGuid for each class and attribute.
  • LDIF files for your schema installation must be created.
  • The application uses LDIFDE.exe to load the LDIF files.
  • The application and schema extensions were tested on a local network.