I believe the school of thought here is
that the person has write access to the same volume as the DIT, which means he/
she can easily perform DOS attacks, etc. by filling up the disk.
I agree it's unlikely, but there you
go. Take the [real] examples of where people with write access to SYSVOL
have decided to replicate ghost images, etc. which not only trashes FRS, but
fills the disk so that only the 20MB reserve files are left (which can easily be
used up with dodgy custom synchronisation scripts that don't know what an USN is
[past experience showing?] ;-)
I don't believe the recommendations for
Logs and DIT go either. Yes, the logs are predominently write, while most
of the DIT usage is read, but the logs are circular. Why waste a mirrored
set for < 100 MB of disk even if disk is cheap? Plus, as already stated
in the same argument, most of the activity is read, so is there really
performance to be gained by having nano-second better response times on the file
writes? Other than implementation or re-provisioning or restoration, I
can't see the need to separate the logs.
I'm involved with a design at the moment
that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier
recommendations for the disks for DCs. We're arguing over whether RAID10
or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used,
but there's not much difference there on a 4 - 6 disk set -the argument is
political to do with different standards for the management people. But
then, the SYSVOL volume is also a scratch area for administrators. The DIT
and OS volumes are very much off limits, and secured thus.
--Paul
|
- RE: [ActiveDir] Moving Sysvol . Darren Mar-Elia
- Re: [ActiveDir] Moving Sysvol . Paul Williams
- RE: [ActiveDir] Moving Sysvol . Darren Mar-Elia
- RE: [ActiveDir] Moving Sysvol . neil.ruston
- Re: [ActiveDir] Moving Sysvol . Paul Williams
- RE: [ActiveDir] Moving Sysvol . Almeida Pinto, Jorge de