Re: Login AD and ICMP
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 31 Aug 2007 12:27:01 -0500
icmp is used to detect whether a link is slow or fast, for such pieces of AD
as group policy ... if it doesn't get a response in a certain time frame
(It suspects it is to slow) group policy application is not attempted.
For Active Directory to function correctly through a firewall, the Internet
Control Message Protocol (ICMP) protocol must be allowed through the
firewall from the clients to the domain controllers so that the clients can
receive Group Policy information.
ICMP is used to determine whether the link is a slow link or a fast link.
ICMP is a legitimate protocol that Active Directory uses for Group Policy
detection and for Maximum Transfer Unit (MTU) detection. The Windows
Redirector also uses ICMP to verify that a server IP is resolved by the DNS
service before a connection is made.
If you want to minimize ICMP traffic, you can use the following sample
firewall rule:
<any> ICMP -> DC IP addr = allow
From
http://support.microsoft.com/kb/179442
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"BZP" <p.audonnet@xxxxxxxxx> wrote in message
news:1188580525.448952.19570@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
I remarked that AD Cleint ping their DC (ICMP) at the computer logon
and user logon.
Why ? And what are the consequences if ICMP is blocked ?
I don't manage a KB which deals with that.
Thanks !
--
P.A.
.
- References:
- Login AD and ICMP
- From: BZP
- Login AD and ICMP
- Prev by Date: Re: Query All users in all groups
- Next by Date: Re: Creating SID Manaully
- Previous by thread: Login AD and ICMP
- Next by thread: Re: Login AD and ICMP
- Index(es):
Relevant Pages
|
