[ActiveDir] Moving Sysvol .
Hello :) I have my AD w2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE: [ActiveDir] Moving Sysvol .
http://support.microsoft.com/?kbid=842162 Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: 08 August 2006 13:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Moving Sysvol . Hello :) I have my AD w2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Re: [ActiveDir] Moving Sysvol .
Yes, you can relocate the SYSVOL. It's just a little more involved (couple of extra steps, not difficult) than moving the DIT. See: -- http://support.microsoft.com/?id=842162 However, if I might be so bold as to make a suggestion here, I would recommed you leave SYSVOL where it is, giving you: 0: Windows 1: DIT and Logs 2: SYSVOL You don't want SYSVOL on the same disk as the database. Especially if you are delegating things like GPO modification, etc. to non-admins or lesser admins. --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 1:14 PM Subject: [ActiveDir] Moving Sysvol . Hello :) I have my AD w2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE: [ActiveDir] Moving Sysvol .
Try this MS
article:
http://support.microsoft.com/?kbid=842162
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
YannSent: 08 August 2006 13:14To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving Sysvol
.
Hello :)
I have my AD w2k3sp1 hard disk configured as this:
hdd1: AD logs.
hdd2: ntds.dit + sysvol.
I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's
ok. But how to move the sysvol folder in hdd1 ? is there a way to do this
?
Thanks for your replies.
Yann
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet !
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos
expériences. Cliquez
ici. PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Moving Sysvol .
... but then there's the school of thought that says you
should:
-
Place DIT and logs on separate spindles, since DIT is read intensive and logs are write intensive
Since
SYSVOL is also read intensive, I'd prefer to place SYSVOL with the DIT.
To be
honest, I don't follow the delegation argument...GPOs exists in SYSVOL and AD so
if delegating access to GPOs, surely there is an argument for placing SYSVOL and
DIT on the *same* disk(?)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 08 August 2006 13:35To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol
.
Yes, you can relocate the SYSVOL.
It's just a little more involved (couple of extra steps, not difficult) than
moving the DIT. See:
-- http://support.microsoft.com/?id=842162
However, if I might be so bold as to make
a suggestion here, I would recommed you leave SYSVOL where it is, giving
you:
0: Windows
1: DIT and Logs
2: SYSVOL
You don't want SYSVOL on the same disk as
the database. Especially if you are delegating things like GPO
modification, etc. to non-admins or lesser admins.
--Paul
- Original Message -
From:
Yann
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 08, 2006 1:14
PM
Subject: [ActiveDir] Moving Sysvol
.
Hello :)
I have my AD w2k3sp1 hard disk configured as this:
hdd1: AD logs.
hdd2: ntds.dit + sysvol.
I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's
ok. But how to move the sysvol folder in hdd1 ? is there a way to do this
?
Thanks for your replies.
Yann
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet
! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et
vos expériences. Cliquez
ici. PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Moving Sysvol .
Yea, I'm not sure why one has to do with the other (GPO
delegation and security of the DIT). GPO delegation simply involves granting
permissions on a individual GPC objects in AD and individual folders in the GPT
(SYSVOL). The only risk I can see is that it is marginally easier to
fill up a disk by writing a ton of data into SYSVOL than it is to do
that by generating millions of AD objects (both of which a "lesser" admin can
do), but if either happens, you probably have bigger problems than the
disk with the DIT on it filling up.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Moving Sysvol .
... but then there's the school of thought that says you
should:
-
Place DIT and logs on separate spindles, since DIT is read intensive and logs are write intensive
Since
SYSVOL is also read intensive, I'd prefer to place SYSVOL with the DIT.
To be
honest, I don't follow the delegation argument...GPOs exists in SYSVOL and AD so
if delegating access to GPOs, surely there is an argument for placing SYSVOL and
DIT on the *same* disk(?)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 08 August 2006 13:35To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol
.
Yes, you can relocate the SYSVOL.
It's just a little more involved (couple of extra steps, not difficult) than
moving the DIT. See:
-- http://support.microsoft.com/?id=842162
However, if I might be so bold as to make
a suggestion here, I would recommed you leave SYSVOL where it is, giving
you:
0: Windows
1: DIT and Logs
2: SYSVOL
You don't want SYSVOL on the same disk as
the database. Especially if you are delegating things like GPO
modification, etc. to non-admins or lesser admins.
--Paul
- Original Message -
From:
Yann
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 08, 2006 1:14
PM
Subject: [ActiveDir] Moving Sysvol
.
Hello :)
I have my AD w2k3sp1 hard disk configured as this:
hdd1: AD logs.
hdd2: ntds.dit + sysvol.
I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's
ok. But how to move the sysvol folder in hdd1 ? is there a way to do this
?
Thanks for your replies.
Yann
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet
! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et
vos expériences. Cliquez
ici.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
Re: [ActiveDir] Moving Sysvol .
I believe the school of thought here is
that the person has write access to the same volume as the DIT, which means he/
she can easily perform DOS attacks, etc. by filling up the disk.
I agree it's unlikely, but there you
go. Take the [real] examples of where people with write access to SYSVOL
have decided to replicate ghost images, etc. which not only trashes FRS, but
fills the disk so that only the 20MB reserve files are left (which can easily be
used up with dodgy custom synchronisation scripts that don't know what an USN is
[past experience showing?] ;-)
I don't believe the recommendations for
Logs and DIT go either. Yes, the logs are predominently write, while most
of the DIT usage is read, but the logs are circular. Why waste a mirrored
set for < 100 MB of disk even if disk is cheap? Plus, as already stated
in the same argument, most of the activity is read, so is there really
performance to be gained by having nano-second better response times on the file
writes? Other than implementation or re-provisioning or restoration, I
can't see the need to separate the logs.
I'm involved with a design at the moment
that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier
recommendations for the disks for DCs. We're arguing over whether RAID10
or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used,
but there's not much difference there on a 4 - 6 disk set -the argument is
political to do with different standards for the management people. But
then, the SYSVOL volume is also a scratch area for administrators. The DIT
and OS volumes are very much off limits, and secured thus.
--Paul
- Original Message -
From:
Darren Mar-Elia
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 08, 2006 3:58
PM
Subject: RE: [ActiveDir] Moving Sysvol
.
Yea, I'm not sure why one has to do with the other (GPO
delegation and security of the DIT). GPO delegation simply involves granting
permissions on a individual GPC objects in AD and individual folders in the
GPT (SYSVOL). The only risk I can see is that it is marginally
easier to fill up a disk by writing a ton of data into SYSVOL than
it is to do that by generating millions of AD objects (both of which a
"lesser" admin can do), but if either happens, you probably have bigger
problems than the disk with the DIT on it
filling up.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Moving Sysvol .
... but then there's the school of thought that says you
should:
-
Place DIT and logs on separate spindles, since DIT is read intensive and logs are write intensive
Since SYSVOL is also read intensive, I'd prefer to place SYSVOL with
the DIT.
To
be honest, I don't follow the delegation argument...GPOs exists in SYSVOL and
AD so if delegating access to GPOs, surely there is an argument for placing
SYSVOL and DIT on the *same* disk(?)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 08 August 2006 13:35To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol
.
Yes, you can relocate the SYSVOL.
It's just a little more involved (couple of extra steps, not difficult) than
moving the DIT. See:
-- http://support.microsoft.com/?id=842162
However, if I might be so bold as to
make a suggestion here, I would recommed you leave SYSVOL where it is, giving
you:
0: Windows
1: DIT and Logs
2: SYSVOL
You don't want SYSVOL on the same disk
as the database. Especially if you are delegating things like GPO
modification, etc. to non-admins or lesser admins.
--Paul
- Original Message -
From:
Yann
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 08, 2006 1:14
PM
Subject: [ActiveDir] Moving Sysvol
.
Hello :)
I have my AD w2k3sp1 hard disk configured as this:
hdd1: AD logs.
hdd2: ntds.dit + sysvol.
I would like to change my hdd2, so i move the ntds.dit in hdd1 and
that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do
this ?
Thanks for your replies.
Yann
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le
sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos
opinions et vos expériences. Cliquez
ici.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately
RE: [ActiveDir] Moving Sysvol .
I hear what you're saying with respect to DOS attacks and filling up the disk with Ghost images but I think what you're talking about is trying to design around dumb mistakes. When has that ever been a task without end ? :-) I'm all for designing for performance, availability, etc. but I think you also need systems (disk quotas, monitoring, auditing come to mind in this scenario) to keep your administrators honest. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Tuesday, August 08, 2006 8:22 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol . I believe the school of thought here is that the person has write access to the same volume as the DIT, which means he/ she can easily perform DOS attacks, etc. by filling up the disk. I agree it's unlikely, but there you go. Take the [real] examples of where people with write access to SYSVOL have decided to replicate ghost images, etc. which not only trashes FRS, but fills the disk so that only the 20MB reserve files are left (which can easily be used up with dodgy custom synchronisation scripts that don't know what an USN is [past experience showing?] ;-) I don't believe the recommendations for Logs and DIT go either. Yes, the logs are predominently write, while most of the DIT usage is read, but the logs are circular. Why waste a mirrored set for < 100 MB of disk even if disk is cheap? Plus, as already stated in the same argument, most of the activity is read, so is there really performance to be gained by having nano-second better response times on the file writes? Other than implementation or re-provisioning or restoration, I can't see the need to separate the logs. I'm involved with a design at the moment that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier recommendations for the disks for DCs. We're arguing over whether RAID10 or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used, but there's not much difference there on a 4 - 6 disk set -the argument is political to do with different standards for the management people. But then, the SYSVOL volume is also a scratch area for administrators. The DIT and OS volumes are very much off limits, and secured thus. --Paul - Original Message - From: Darren Mar-Elia To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 3:58 PM Subject: RE: [ActiveDir] Moving Sysvol . Yea, I'm not sure why one has to do with the other (GPO delegation and security of the DIT). GPO delegation simply involves granting permissions on a individual GPC objects in AD and individual folders in the GPT (SYSVOL). The only risk I can see is that it is marginally easier to fill up a disk by writing a ton of data into SYSVOL than it is to do that by generating millions of AD objects (both of which a "lesser" admin can do), but if either happens, you probably have bigger problems than the disk with the DIT on it filling up. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving Sysvol . ... but then there's the school of thought that says you should: - Place DIT and logs on separate spindles, since DIT is read intensive and logs are write intensive Since SYSVOL is also read intensive, I'd prefer to place SYSVOL with the DIT. To be honest, I don't follow the delegation argument...GPOs exists in SYSVOL and AD so if delegating access to GPOs, surely there is an argument for placing SYSVOL and DIT on the *same* disk(?) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 08 August 2006 13:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol . Yes, you can relocate the SYSVOL. It's just a little more involved (couple of extra steps, not difficult) than moving the DIT. See: -- http://support.microsoft.com/?id=842162 However, if I might be so bold as to make a suggestion here, I would recommed you leave SYSVOL where it is, giving you: 0: Windows 1: DIT and Logs 2: SYSVOL You don't want SYSVOL on the same disk as the database. Especially if you are delegating things like GPO modification, etc. to non-admins or lesser admins. --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 1:14 PM Subject: [ActiveDir] Moving Sysvol . Hello :) I have my AD w2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to chang
RE: [ActiveDir] Moving Sysvol .
All fair points, Paul - I guess I'd view these concerns in a different way: - Use a GPO management tool to abstract away native GPO rights - If admins cannot be trusted not to fill SYSVOL with sh** then don't give them any rights in SYSVOL [similar to above point] - If SYSVOL has its own partition, you still have the potential for adminA to fill the disk with cr** and thus hinder the legitimate efforts of adminB to make changes to a GPO. Granted, this 'DOS' only affects SYSVOL, but then if GPO is broken then you're in big trouble anyway :) - Granted a separate disk for logs *is* overkill. Consider using that partition / disk in other ways (GPO backups; system state backups, build source files etc etc). my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 08 August 2006 16:22To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol . I believe the school of thought here is that the person has write access to the same volume as the DIT, which means he/ she can easily perform DOS attacks, etc. by filling up the disk. I agree it's unlikely, but there you go. Take the [real] examples of where people with write access to SYSVOL have decided to replicate ghost images, etc. which not only trashes FRS, but fills the disk so that only the 20MB reserve files are left (which can easily be used up with dodgy custom synchronisation scripts that don't know what an USN is [past experience showing?] ;-) I don't believe the recommendations for Logs and DIT go either. Yes, the logs are predominently write, while most of the DIT usage is read, but the logs are circular. Why waste a mirrored set for < 100 MB of disk even if disk is cheap? Plus, as already stated in the same argument, most of the activity is read, so is there really performance to be gained by having nano-second better response times on the file writes? Other than implementation or re-provisioning or restoration, I can't see the need to separate the logs. I'm involved with a design at the moment that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier recommendations for the disks for DCs. We're arguing over whether RAID10 or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used, but there's not much difference there on a 4 - 6 disk set -the argument is political to do with different standards for the management people. But then, the SYSVOL volume is also a scratch area for administrators. The DIT and OS volumes are very much off limits, and secured thus. --Paul - Original Message - From: Darren Mar-Elia To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 3:58 PM Subject: RE: [ActiveDir] Moving Sysvol . Yea, I'm not sure why one has to do with the other (GPO delegation and security of the DIT). GPO delegation simply involves granting permissions on a individual GPC objects in AD and individual folders in the GPT (SYSVOL). The only risk I can see is that it is marginally easier to fill up a disk by writing a ton of data into SYSVOL than it is to do that by generating millions of AD objects (both of which a "lesser" admin can do), but if either happens, you probably have bigger problems than the disk with the DIT on it filling up. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving Sysvol . ... but then there's the school of thought that says you should: - Place DIT and logs on separate spindles, since DIT is read intensive and logs are write intensive Since SYSVOL is also read intensive, I'd prefer to place SYSVOL with the DIT. To be honest, I don't follow the delegation argument...GPOs exists in SYSVOL and AD so if delegating access to GPOs, surely there is an argument for placing SYSVOL and DIT on the *same* disk(?) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 08 August 2006 13:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol . Yes, you can relocate the SYSVOL. It's just a little more involved (couple of extra steps, not difficult) than moving the DIT. See: -- http://support.microsoft.com/?id=842162 However, if I might be so bold as to make a suggestion here, I would recommed you leave SYSVOL where it is, giving you: 0: Windows 1: DIT and Logs 2: SYSVOL You don't want SYSVOL on the same disk as the database. Especially if you are delegating things like GPO modification, etc. to non-admins or lesser admins. --Paul - Original Message --
Re: [ActiveDir] Moving Sysvol .
Yeah, I'm not disagreeing with what you and Darren say. In fact, I mostly agree. I'm just working in a high security environment where every detail is scruitinised and extra care needs to be taken with everything. I've always been one of these people that try and look at both sides of the security versus operability arguments and think that if it can be hardened without causing issues, it should be. Many of us on this list, and in the groups, are of the opinion that non DAs shouldn't have write access to the OS and DIT volumes, even if performing proper administrative functions. Therefore a scratch volume that contains SYSVOL works well if you have non-DAs working with GPOs using native tools. The AD side of GPO is easily managed against most forms of attack. The file system still poses an element of risk. The tools for doing this stuff are a given. If they're not using the management tools on the management servers then they shouldn't be allowed to work. This is just another little piece in the big puzzle that is locking everything down to the point of (insert opinion here)... In my case, the scratch area played an important part in the decision and that swung the idea for me so I spout it off a lot now. But consider the malicious user, as opposed to the foolish, or naive admin. If they've got write (or even read) access to certain areas of the DC where sensitive files are... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 4:37 PM Subject: RE: [ActiveDir] Moving Sysvol . All fair points, Paul - I guess I'd view these concerns in a different way: - Use a GPO management tool to abstract away native GPO rights - If admins cannot be trusted not to fill SYSVOL with sh** then don't give them any rights in SYSVOL [similar to above point] - If SYSVOL has its own partition, you still have the potential for adminA to fill the disk with cr** and thus hinder the legitimate efforts of adminB to make changes to a GPO. Granted, this 'DOS' only affects SYSVOL, but then if GPO is broken then you're in big trouble anyway :) - Granted a separate disk for logs *is* overkill. Consider using that partition / disk in other ways (GPO backups; system state backups, build source files etc etc). my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 08 August 2006 16:22To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol . I believe the school of thought here is that the person has write access to the same volume as the DIT, which means he/ she can easily perform DOS attacks, etc. by filling up the disk. I agree it's unlikely, but there you go. Take the [real] examples of where people with write access to SYSVOL have decided to replicate ghost images, etc. which not only trashes FRS, but fills the disk so that only the 20MB reserve files are left (which can easily be used up with dodgy custom synchronisation scripts that don't know what an USN is [past experience showing?] ;-) I don't believe the recommendations for Logs and DIT go either. Yes, the logs are predominently write, while most of the DIT usage is read, but the logs are circular. Why waste a mirrored set for < 100 MB of disk even if disk is cheap? Plus, as already stated in the same argument, most of the activity is read, so is there really performance to be gained by having nano-second better response times on the file writes? Other than implementation or re-provisioning or restoration, I can't see the need to separate the logs. I'm involved with a design at the moment that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier recommendations for the disks for DCs. We're arguing over whether RAID10 or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used, but there's not much difference there on a 4 - 6 disk set -the argument is political to do with different standards for the management people. But then, the SYSVOL volume is also a scratch area for administrators. The DIT and OS volumes are very much off limits, and secured thus. --Paul - Original Message - From: Darren Mar-Elia To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 3:58 PM Subject: RE: [ActiveDir] Moving Sysvol . Yea, I'm not sure why one has to do with the other (GPO delegation and security of the DIT). GPO delegation simply involves granting permissions on a individual GPC objects in AD and individual folders in the GPT (SYSVOL). The only risk I can see is that it is
RE: [ActiveDir] Moving Sysvol .
to mitigate that risk you can also place a DUMMY file (lets
say with the size of something like 1 GB)
normally, if the disk with the DIT/SYSVOL fills up you will
not have any space left to work with or to take any actions so solve the
problem.
however, if create one (or more) dummy files you can give
yourself more space if the volume fills up. simply delete the dummy file and you
can continue for a short while and also giving you time to resolve anything you
want more easily
I also use this when working with VMs to so some tests
(sometimes I have multiple VMs on my laptop). As soon as the disk fills the VM
software complains and if I don't have any spare space left it crashes the VMs
and the virtual software. I use three dummy files for that, whereas the first
two are used as a warning.
W2K3 and WXP provide a very nice utility called
FSUTIL
For my VMs I use:
CreateBogusFile1_050MB.cmd --> FSUTIL FILE CREATENEW
E:\VMs\FakeFile1.bogus 5000CreateBogusFile2_100MB.cmd --> FSUTIL FILE CREATENEW
E:\VMs\FakeFile2.bogus 1CreateBogusFile3_200MB.cmd --> FSUTIL
FILE CREATENEW E:\VMs\FakeFile3.bogus 2
For your DIT/SYSVOL volumes you can so something
like
FSUTIL FILE CREATENEW
:\\FakeFile.bogus 10 (= 1
GB)
the numeric value is specified in KBs
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: Tuesday, August 08, 2006 16:58To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving Sysvol
.
Yea, I'm not sure why one has to do with the other (GPO
delegation and security of the DIT). GPO delegation simply involves granting
permissions on a individual GPC objects in AD and individual folders in the
GPT (SYSVOL). The only risk I can see is that it is marginally
easier to fill up a disk by writing a ton of data into SYSVOL than
it is to do that by generating millions of AD objects (both of which a
"lesser" admin can do), but if either happens, you probably have bigger
problems than the disk with the DIT on it
filling up.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Moving Sysvol .
... but then there's the school of thought that says you
should:
-
Place DIT and logs on separate spindles, since DIT is read intensive and logs are write intensive
Since SYSVOL is also read intensive, I'd prefer to place SYSVOL with
the DIT.
To
be honest, I don't follow the delegation argument...GPOs exists in SYSVOL and
AD so if delegating access to GPOs, surely there is an argument for placing
SYSVOL and DIT on the *same* disk(?)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 08 August 2006 13:35To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol
.
Yes, you can relocate the SYSVOL.
It's just a little more involved (couple of extra steps, not difficult) than
moving the DIT. See:
-- http://support.microsoft.com/?id=842162
However, if I might be so bold as to
make a suggestion here, I would recommed you leave SYSVOL where it is, giving
you:
0: Windows
1: DIT and Logs
2: SYSVOL
You don't want SYSVOL on the same disk
as the database. Especially if you are delegating things like GPO
modification, etc. to non-admins or lesser admins.
--Paul
- Original Message -
From:
Yann
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 08, 2006 1:14
PM
Subject: [ActiveDir] Moving Sysvol
.
Hello :)
I have my AD w2k3sp1 hard disk configured as this:
hdd1: AD logs.
hdd2: ntds.dit + sysvol.
I would like to change my hdd2, so i move the ntds.dit in hdd1 and
that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do
this ?
Thanks for your replies.
Yann
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le
sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos
opinions et vos expériences. Cliquez
ici.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of
RE : RE: [ActiveDir] Moving Sysvol .
Thanks a lot :) Next time, I will look first in MS kb Cheers, YannRobert Rutherford <[EMAIL PROTECTED]> a écrit :http://support.microsoft.com/?kbid=842162 Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: 08 August 2006 13:14To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving Sysvol . Hello :) I have my AD w2k3sp1 hard disk configured as this:hdd1: AD logs.hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: [ActiveDir] Moving Sysvol .
Paul, Thanks for your suggestion. I will follow your advice in order to secure my ntds.dit Thanks again, YannPaul Williams <[EMAIL PROTECTED]> a écrit : Yes, you can relocate the SYSVOL. It's just a little more involved (couple of extra steps, not difficult) than moving the DIT. See: -- http://support.microsoft.com/?id=842162 However, if I might be so bold as to make a suggestion here, I would recommed you leave SYSVOL where it is, giving you: 0: Windows 1: DIT and Logs 2: SYSVOL You don't want SYSVOL on the same disk as the database. Especially if you are delegating things like GPO modification, etc. to non-admins or lesser admins. --Paul- Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 1:14 PM Subject: [ActiveDir] Moving Sysvol .Hello :) I have my AD w2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
