RE: [ActiveDir] icmp's

[Rick Kingslan]

“Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it.”   Which, I always thought was a pretty funny way of doing things anyway.  As you are well aware, Ping doesn’t mean alive and healthy.  I know of many people who have spent hours to days troubleshooting a problem just to find that the machine that they first suspected as being the problem pinged just fine.  Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive (along with all of the other really important stuff).   Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's   I would agree, the old style logon scripts should be fine, UNLESS you have implemented your own speed sensing based on icmp in the logon script (many of us did that long before MS did it for those who didn't figure it out).   Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. If you never want to fail outside of a segment then that is the way to do it, but most people would rather fail over to any DC versus say, nah, those are two far away even though none of my local DCs are available if things go pear shaped.       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 01, 2006 9:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's I personally haven't heard it referred to as "legacy".  I think that may be because it wasn't a legacy method when I last heard it ;)   I haven't tested this, so your mileage may vary but: the "legacy" method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled.  Several things will break, but I don't believe that's one of them.   Test it.  You'll know for sure then right?  Besides, I don't imagine a lot of networks out there are configured with ICMP disabled like that.    Al    On 12/31/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thats it.   Isn't that the way its refered to in MS-speak?   I hope i didn't just make that up...   On 12/30/05, Brian Desmond <[EMAIL PROTECTED] > wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 ________________________________ From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern < [EMAIL PROTECTED]> wrote:        would this also affect clients from getting logon scripts?        and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's.        Thanks again        On 12/30/05, Brian Desmond <[EMAIL PROTECTED] > wrote:                You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients.                The rules look something like this:                access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo                access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply                Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network.                Thanks,                Brian Desmond                [EMAIL PROTECTED]                c - 312.731.3132                ________________________________                From: [EMAIL PROTECTED] on behalf of Tom Kern                Sent: Fri 12/30/2005 9:25 AM                To: activedirectory                Subject: [ActiveDir] icmp's                What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest?                any?                I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients?                I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network.                Thanks