I've been asked at my new job to add a couple of extra custom user attributes to Active Directory. When I was about to add the custom attributes in the Schema Editor i noticed an attribute name that started with the company name and decided to check it out.
It turns out that a previous admin has added a custom attribute using the "wrong" OID-prefix, namely:
1.2.840.113556.1.8000.999999.2.1
Which is the example mentioned in the following TechNet article https://msdn.microsoft.com/en-us/library/ms677620(v=vs.85).aspx, and not an OID generated from the script referenced in that article.
It also says in that same article that: Once you have a base OID, be careful when deciding how the OIDs should be divided into categories, because these OIDs are contained in the prefix table and are part of the DC replication data.It is recommended that no more than two OID categories be created.”
- Should this be a cause for concern/something that needs to be fixed? Or can this only cause issues if we ever needed to establish a trust with a separate domain that has made the same mistake?
- I’m not sure I understand the recommendation regarding the two OID categories, what possible issues could arise if I choose to add a second set of two OID categories using the OID prefix generated from the script? It should be a better option than to continue down the current path using the wrong prefix, right?
Any input is greatly appreciated,
Rashi