Hi, I have a problem with remote sites in active directory not applying group policies. I've discovered that when the PC starts or logs on it will send an oversize ICMP packet to the DC to establish that the connection is available and good. As my sites are connected through a VPN via a PIX I've discovered that the ICMP gets blocked by the PIX.
App., by default, the PIX does not allow ICMP packets greater the 2k and the packet from the PC to the DC is bigger than this, therefore the PC doesn't get a reply so assumes that the connection is not that great, thus the USERENV does not download and apply the GPO's. I've found that there are two work-arounds to this problem; One is to modify the registry on every PC to not bother sending the packet and just download GPO's anyway by adding these keys: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000 ..and the other is to increase the allowed size of the ICMP packet on the PIX from 2k to something higher like 3k. I can't really justify changing 1000's of PCs registry settings when I believe there is a quicker solution by modifying the PIX. So the question is (finally!), does anyone know how to increase the ICMP packet size on the PIX? TIA Adam List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
