There was a little kerfuffle about AD schema extensions recently. Jackson Shaw smacked Mark Wilcox around about spreading FUD about Vintella and Mark walked it back a little later.
I thought I would offer some advice about AD schema extensions from the standpoint of having worked on a product that actually required AD schema extensions. The product that was originally OpenNetwork DirectorySmart and later became BMC WAM allowed you to write web access control policies based on the users and security groups in AD. But to do this you have to extend the AD schema. Of course the product also supported ADAM, iPlanet, and eDirectory so if AD schema extensions was an issue there was always an alternative.
Now when Mark claimed that many companies have a policy against AD schema extensions he was quite correct. When Jackson stated that virtually every company’s AD schema has been extended he was also quite correct.
What gives?
It all depends on who is modifying the AD schema and why. Or put another way, just because a company is willing to modify their AD schema to deploy Exchange and Messenger, doesn’t mean they will modify their AD schema to support your product. Some companies will but some won’t.
At OpenNetwork we had many customers who would deploy a dedicated AD instance for their partners and customers identity (especially pre-ADAM). For these instances they didn’t really care if the schema was extended. Some customers chose the product for their corporate wide web access control and SSO and thus made the required schema extensions. But we did have a number lost opportunities where the potential customer wanted direct AD support, but wouldn’t make the required schema extensions.
The bottom line is if you are planning on developing a product based on AD, don’t require schema extensions if you can avoid it.
