You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
<<winmail.dat>>
