Protecting the Schema

In order to safeguard the integrity of the Windows 2000 enterprise-wide schema, ITSS will attempt to be as pro-active as possible in identifying applications that may adversely affect the schema. ITSS will also assume the responsibility of making the Stanford Windows community aware of such problems. This responsibility includes sending out messages that identify applications that may affect the schema, and notes concerning the schema changes and conflicts that might be caused if certain applications are installed.

To do this, ITSS will need your help. We are forming a Schema Committee that will help monitor these issues, address questions about changes in schema attributes, and oversee the testing of new applications that may influence the schema. Here is a brief outline of the system described so far.

The Schema Committee

A Windows Schema committee will be formed with representatives from the ITSS Windows support team and one representative from each domain.

Only domains will have a representative on the Schema committee. Operating Units will participate through the domain of which they are a part, not as direct participants on the committee.

Meetings to discuss pending requests for schema changes will be held once a month. While these meetings will be held at regularly scheduled times, they may be canceled if there are no applicatoin issues or schema change requests pending.

Requests submitted between scheduled meetings that are urgent in nature may be vetted with the committee either via email or a specially scheduled meeting to address the request. We do not anticipate this will come up very often, but if it does we can move to bi-weekly scheduled meetings.

Modifying the Schema

Schema attributes will be assigned on a first come, first serve basis. Should this become an issue, the conflict will be presented to the Campus IT Council for resolution. The Campus IT Council is comprised of the managers of IT departments across campus.

Proposed schema changes will be examined for the following:

Privacy. Sensitivity to the privacy of personal data (in keeping with FERPA (the Family Education Rights and Privacy Act) standards, and with Stanford University's privacy policy).
Appropriateness. Is Windows Active Directory the proper place for this data? Data that belongs in the Stanford Registry should be added there and synchronized to Windows Active Directory; this prevents us from creating conflicting sources of data.
Correct ACLs. The default ownership and security ACLs of objects and attributes implemented by the schema change should be set correctly
Conflict with existing directory objects or attributes
Interference with existing production services
Compliance with Stanford's Fair Use Computing Policy

Proposed schema changes that meet one of these criteria will be closely examined in order to find reasonable solutions.

All active attributes for the production system that constitute additions to the default schema will be published in the ITSS Windows web pages. For each additional attribute, the attribute's name, what it is set to, what its purpose is, the sponsor who requested the change, and the date it was implemented will be shown. Until an attribute schema change request is implemented, the page will reflect "none at this time". A similar page will reflect information for the pre-production environment.

Changes will only be performed during standard W2K production maintenance windows.
The Stanford Change Management System will be used to notify and inform administrators of changes that have been approved by the Schema committee. We will request that W2K Schema be added as a group in the system.

The ITSS Windows support team will respond to submitted requests by the next business day. They will also enter the request in the Stanford Change Management System and pursue resolution of the request.

Testing Schema Changes

Prior to submitting a test request, the requestor must have a complete test plan to prevent any conflicts or problems within the test area.

ITSS will provide access to a tree for testing changes. This will consist of schema access to the 'crash and burn' domain for the members of the committee along with the responsibility to send a message to the team for notification and documentation purposes. Crash-and-burn will only have a sub-set of objects and not be fully interoperable. The pre-production area will be fully loaded with data exposure and privacy issues protected as in the production environment. Once a requestor has tested in crash-and-burn, they must email the Windows Support team to test the change in the pre-production environment. The requestor must have their own pre-production environment to test the user side of the changes. Pre-production testing will generally be limited to one week to allow full access to the test area, but this time will be modified at the request of the tester in most cases.

Only the ITSS Windows support team will have the ability to make changes to the pre-production or production schema. Once a change has been tested in the pre-production environment, it is submitted to CMS for vetting with the Schema committee and then for production scheduling. The Windows 2000 Roles and Responsibilities document defines the checks that are performed to protect the production environment.

It is critical that administrators follow the complete process for these changes because there is no 'undo' capability for the schema. If a change causes problems in the production system, it will require a complete re-load from tape to restore the domain to a working state.

Attribute changes that are proposed for custom applications within the Stanford domain must be named using the 'SU-name' format. Stanford is registered with the ISO Name Registration Authority and is able to register those changes if needed. This requires coordination with the Directory team.

If you have any questions about the hows and whys of modifying the schema, please send email to the Windows Schema Committee at
windows-schema@lists.stanford.edu

Last modified by barkills at 6/11/2001 2:57 PM