Regresar
-
Título
How to optimize the schema. What actions are performed when optimizing the schema? -
Descripción
It is necessary to optimize the schema to avoid slowness when modifying users.
How to optimize the schema.
In Control Center there is an option to 'Optimize Schema'. Below that there is a link that says 'What does this mean?' that includes details on what occurs when optimizing.
-
Resolución
Active Directory Optimization
Indexing certain attributes used by the Quest Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project.
The Custom Unix Attributes panel in the Preferences section of QAS Control Center displays a warning if the Active Directory configuration is not optimized according to best practices.One Identity recommends that it is a best practice to index the following attributes in Active Directory.
Note: LDAP display names vary depending on your Unix attribute mappings.
User UID Number
User Unix Name
Group GID Number
Group Unix Name
It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by the QAS Unix agents and the ADUC snapin.
You can find the LDAP display name for each Unix attribute in the Custom Unix Attributes panel in the Preferences section of QAS Control Center (or from running /opt/quest/bin/vastool schema list).
The below are the defaults used:
uidNumber
gidNumber
gecos
unixLoginShell
unixHomeDirectory
For example, you can add the following attributes to the global catalog:
logonHours
accountExpires
pwdLastSet
lockOutTime
Click the Optimize Schema link to run a script that updates these attributes as necessary.
Note: The Optimize Schema option is only available if you have not optimized the Active Directory schema.
This operation requires administrative rights in Active Directory.
The user performing the task should be a member of both the Domain Admins and Schema Admins groups.
If you do not have the necessary rights to optimize your schema, then it generates a schema optimization script.
You can send the script to an Active Directory administrator who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
ADDITIONAL INFORMATION:
User Attributes Added to GC Indexed User UID Number * * User Unix Name * * User Primary GID Number * User Gecos * User Homedirectory * User LoginShell * Group GID Number * * Group Unix Name * * logonHours * accountExpires * pwdLastSet * lockOutTime *
The table above shows the changes made by Optimise Schema when running in Schema mode.
When running in Schemaless mode the attribute AltSecurityIdentities is indexed and added to Global Catalog.