What affect would blocking icmp packets on all vlans have on win2k/xp client
logons in a win2k forest?
any?
I know clients ping dc's to see which responds first and later ping dc's to
determine round trip time for GP processing, but would blocking icmp's have
any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a lot of
event id 1000 from Usernev with error code of 59 which when i looked up,
refers to network connectivity issues. i think this event id is related to
the fact we block icmp packets and i was wondering if thats something i
should worry about in a win2k network.
Thanks

Group policy issues.

the XP sp2 machines if you enable the firewall but allow 445
traffic merely enabling 445 with also allow ICMP.
Product team did this because they need it for group policy.

See discussion on focusonms listserve way back when XP sp2 first came out.

[Fire up your firewall and in the advanced window you can see it too]

Tom Kern wrote:

What affect would blocking icmp packets on all vlans have on win2k/xp
client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and later ping
dc's to determine round trip time for GP processing, but would
blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a
lot of event id 1000 from Usernev with error code of 59 which when i
looked up, refers to network connectivity issues. i think this event
id is related to the fact we block icmp packets and i was wondering if
thats something i should worry about in a win2k network.
Thanks

All icmp traffic is being blocked between clients and DC's by a PIX
firewall.

I just want to know how this will affect client logons.

I don't use the XP sp2 FW.

I'm not sure I understand "Beads" comment about blocking it on a straight
lan.
How can you block traffic on a non segmented lan?
something has to be blocking the traffic on a L3 switch/router or on a
firewall sitting between networks or vlans, etc.
we don't use personal sw firewalls here.

anyway, what i really would like to know is will blocking icmps om a pix fw
between clients and DC's affect client logons or GP processing?

Thanks a lot

12/30/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <
sbradcpa (AT) pacbell (DOT) netwrote:

Group policy issues.

the XP sp2 machines if you enable the firewall but allow 445
traffic merely enabling 445 with also allow ICMP.
Product team did this because they need it for group policy.

See discussion on focusonms listserve way back when XP sp2 first came out

[Fire up your firewall and in the advanced window you can see it too]

Tom Kern wrote:

What affect would blocking icmp packets on all vlans have on win2k/xp
client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and later ping
dc's to determine round trip time for GP processing, but would
blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a
lot of event id 1000 from Usernev with error code of 59 which when i
looked up, refers to network connectivity issues. i think this event
id is related to the fact we block icmp packets and i was wondering if
thats something i should worry about in a win2k network.
Thanks

You'll break GP's.

We block ICMP to all VLAN's except to our management VLAN (where the DC's roam).

Tim

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom Kern
Sent: Fri 12/30/2005 9:27 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] icmp's

All icmp traffic is being blocked between clients and DC's by a PIX firewall.

I just want to know how this will affect client logons.

I don't use the XP sp2 FW.

I'm not sure I understand "Beads" comment about blocking it on a straight lan.
How can you block traffic on a non segmented lan?
something has to be blocking the traffic on a L3 switch/router or on a firewall sitting between networks or vlans, etc.
we don't use personal sw firewalls here.

anyway, what i really would like to know is will blocking icmps om a pix fw between clients and DC's affect client logons or GP processing?

Thanks a lot

12/30/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <sbradcpa (AT) pacbell (DOT) netwrote:

Group policy issues.

the XP sp2 machines if you enable the firewall but allow 445
traffic merely enabling 445 with also allow ICMP.
Product team did this because they need it for group policy.

See discussion on focusonms listserve way back when XP sp2 first came out.

[Fire up your firewall and in the advanced window you can see it too]

Tom Kern wrote:

What affect would blocking icmp packets on all vlans have on win2k/xp
client logons in a win2k forest?
any?
>
I know clients ping dc's to see which responds first and later ping
dc's to determine round trip time for GP processing, but would
blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a
lot of event id 1000 from Usernev with error code of 59 which when i
looked up, refers to network connectivity issues. i think this event
id is related to the fact we block icmp packets and i was wondering if
thats something i should worry about in a win2k network.
Thanks

You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients.

The rules look something like this:

access-list DC_VLANUT line 1 permit icmp any object-group domain_controllers echo

access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply

Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMH that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom Kern
Sent: Fri 12/30/2005 9:25 AM
To: activedirectory
Subject: [ActiveDir] icmp's

What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GP processing, but would blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network.
Thanks

would this also affect clients from getting logon scripts?
and when i say logon scripts, i mean the legacy way of distributing them,
NT thru GP's.

Thanks again

12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) comwrote:

You need to enable ICMP echo source clients dest dc's, and icmp echo-reply
source dc's dest clients.

The rules look something like this:

access-list DC_VLANUT line 1 permit icmp any object-group
domain_controllers echo

access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers
any echo-reply

Have your network people considered rate-limiting ICMP packets rather than
shutting them down all together. IMH that's the correct way to handle this.
Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are
necessary pieces of a network.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom Kern
Sent: Fri 12/30/2005 9:25 AM
To: activedirectory
Subject: [ActiveDir] icmp's
--
What affect would blocking icmp packets on all vlans have on win2k/xp
client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and later ping dc's
to determine round trip time for GP processing, but would blocking icmp's
have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a lot
of event id 1000 from Usernev with error code of 59 which when i looked up,
refers to network connectivity issues. i think this event id is related to
the fact we block icmp packets and i was wondering if thats something i
should worry about in a win2k network.
Thanks
--

Not likely.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom Kern
Sent: Fri 12/30/2005 3:36 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] icmp's

would this also affect clients from getting logon scripts?
and when i say logon scripts, i mean the legacy way of distributing them, NT thru GP's.

Thanks again

12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) comwrote:

You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients.

The rules look something like this:

access-list DC_VLANUT line 1 permit icmp any object-group domain_controllers echo

access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply

Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMH that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom Kern
Sent: Fri 12/30/2005 9:25 AM
To: activedirectory
Subject: [ActiveDir] icmp's

What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GP processing, but would blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network.
Thanks

When you say legacy way, what does that mean exactly?

12/30/05, Tom Kern <tpkern (AT) gmail (DOT) comwrote:

would this also affect clients from getting logon scripts?
and when i say logon scripts, i mean the legacy way of distributing them,
NT thru GP's.

Thanks again
--
12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) comwrote:

You need to enable ICMP echo source clients dest dc's, and icmp
echo-reply source dc's dest clients.

The rules look something like this:

access-list DC_VLANUT line 1 permit icmp any object-group
domain_controllers echo

access-list DC_VLAN_IN line 1 permit icmp object-group
domain_controllers any echo-reply

Have your network people considered rate-limiting ICMP packets rather
than shutting them down all together. IMH that's the correct way to handle
this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are
necessary pieces of a network.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom Kern
Sent: Fri 12/30/2005 9:25 AM
To: activedirectory
Subject: [ActiveDir] icmp's
--
What affect would blocking icmp packets on all vlans have on win2k/xp
client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and later ping dc's
to determine round trip time for GP processing, but would blocking icmp's
have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a
lot of event id 1000 from Usernev with error code of 59 which when i looked
up, refers to network connectivity issues. i think this event id is related
to the fact we block icmp packets and i was wondering if thats something i
should worry about in a win2k network.
Thanks
>
>
>

presumably setting the scriptPath attribute on accounts

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] icmp's

When you say legacy way, what does that mean exactly?

12/30/05, Tom Kern <tpkern (AT) gmail (DOT) comwrote:

would this also affect clients from getting logon scripts?
and when i say logon scripts, i mean the legacy way of distributing them, NT thru GP's.

Thanks again

12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) com wrote:

You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients.

The rules look something like this:

access-list DC_VLANUT line 1 permit icmp any object-group domain_controllers echo

access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply

Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMH that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom Kern
Sent: Fri 12/30/2005 9:25 AM
To: activedirectory
Subject: [ActiveDir] icmp's

What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GP processing, but would blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network.
Thanks

Thats it.

Isn't that the way its refered to in MS-speak?

I hope i didn't just make that up

12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) comwrote:

presumably setting the scriptPath attribute on accounts

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] icmp's
--
When you say legacy way, what does that mean exactly?
--
12/30/05, Tom Kern <tpkern (AT) gmail (DOT) comwrote:

would this also affect clients from getting logon scripts?
and when i say logon scripts, i mean the legacy way of distributing
them, NT thru GP's.

Thanks again
>
>
>
12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) com wrote:

You need to enable ICMP echo source clients dest dc's, and
icmp echo-reply source dc's dest clients.

The rules look something like this:

access-list DC_VLANUT line 1 permit icmp any object-group
domain_controllers echo

access-list DC_VLAN_IN line 1 permit icmp object-group
domain_controllers any echo-reply

Have your network people considered rate-limiting ICMP
packets rather than shutting them down all together. IMH that's the correct
way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom
Kern
Sent: Fri 12/30/2005 9:25 AM
To: activedirectory
Subject: [ActiveDir] icmp's
--
What affect would blocking icmp packets on all vlans have
on win2k/xp client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and
later ping dc's to determine round trip time for GP processing, but would
blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans
and i get a lot of event id 1000 from Usernev with error code of 59 which
when i looked up, refers to network connectivity issues. i think this event
id is related to the fact we block icmp packets and i was wondering if thats
something i should worry about in a win2k network.
Thanks
>
>
>
>
>
>
>

I personally haven't heard it referred to as "legacy". I think that may be
because it wasn't a legacy method when I last heard it ;)

I haven't tested this, so your mileage may vary but: the "legacy" method
would have been created and designed for a time before ICMP was the norm. As
such, I wouldn't expect that to break if ICMP was disabled. Several things
will break, but I don't believe that's one of them.

Test it. You'll know for sure then right? Besides, I don't imagine a lot
of networks out there are configured with ICMP disabled like that.

Al

12/31/05, Tom Kern <tpkern (AT) gmail (DOT) comwrote:

Thats it.

Isn't that the way its refered to in MS-speak?

I hope i didn't just make that up
--
12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) comwrote:

presumably setting the scriptPath attribute on accounts

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] icmp's
--
When you say legacy way, what does that mean exactly?
--
12/30/05, Tom Kern <tpkern (AT) gmail (DOT) comwrote:

would this also affect clients from getting logon scripts?
and when i say logon scripts, i mean the legacy way of
distributing them, NT thru GP's.

Thanks again
>
>
>
12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) com wrote:

You need to enable ICMP echo source clients dest dc's,
and icmp echo-reply source dc's dest clients.

The rules look something like this:

access-list DC_VLANUT line 1 permit icmp any
object-group domain_controllers echo

access-list DC_VLAN_IN line 1 permit icmp object-group
domain_controllers any echo-reply

Have your network people considered rate-limiting ICMP
packets rather than shutting them down all together. IMH that's the correct
way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Tom
Kern
Sent: Fri 12/30/2005 9:25 AM
To: activedirectory
Subject: [ActiveDir] icmp's
--
What affect would blocking icmp packets on all vlans have
on win2k/xp client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first and
later ping dc's to determine round trip time for GP processing, but would
blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our vlans
and i get a lot of event id 1000 from Usernev with error code of 59 which
when i looked up, refers to network connectivity issues. i think this event
id is related to the fact we block icmp packets and i was wondering if thats
something i should worry about in a win2k network.
Thanks
>
>
>
>
>
>
>
>

I thought i read somewhere in some MS doc it being refered to as "legacy"
since now you can put multiple logon scripts in GP's and that they
recommend doing it that way.

everytime a new S or feature comes out, MS tends to refer to the previous
os/feature as legacy or down-level.
maybe i just made a silly assumption that using a logon script as a user
attritbute( i guess somewhat simillar to the way NT did it) instead of a GP
was "legacy".
thanks

1/1/06, Al Mulnick <amulnick (AT) gmail (DOT) comwrote:

I personally haven't heard it referred to as "legacy". I think that may
be because it wasn't a legacy method when I last heard it ;)

I haven't tested this, so your mileage may vary but: the "legacy" method
would have been created and designed for a time before ICMP was the norm. As
such, I wouldn't expect that to break if ICMP was disabled. Several things
will break, but I don't believe that's one of them.

Test it. You'll know for sure then right? Besides, I don't imagine a lot
of networks out there are configured with ICMP disabled like that.

Al
--
12/31/05, Tom Kern <tpkern (AT) gmail (DOT) comwrote:

Thats it.

Isn't that the way its refered to in MS-speak?

I hope i didn't just make that up
--
12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) com wrote:

presumably setting the scriptPath attribute on accounts

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] icmp's
--
When you say legacy way, what does that mean exactly?
--
12/30/05, Tom Kern < tpkern (AT) gmail (DOT) comwrote:

would this also affect clients from getting logon scripts?
and when i say logon scripts, i mean the legacy way of
distributing them, NT thru GP's.

Thanks again
>
>
>
12/30/05, Brian Desmond <brian (AT) briandesmond (DOT) com wrote:

You need to enable ICMP echo source clients dest dc's,
and icmp echo-reply source dc's dest clients.

The rules look something like this:

access-list DC_VLANUT line 1 permit icmp any
object-group domain_controllers echo

access-list DC_VLAN_IN line 1 permit icmp object-group
domain_controllers any echo-reply

Have your network people considered rate-limiting ICMP
packets rather than shutting them down all together. IMH that's the correct
way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network.

Thanks,
Brian Desmond
brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of
Tom Kern
Sent: Fri 12/30/2005 9:25 AM
To: activedirectory
Subject: [ActiveDir] icmp's
--
What affect would blocking icmp packets on all vlans
have on win2k/xp client logons in a win2k forest?
any?

I know clients ping dc's to see which responds first
and later ping dc's to determine round trip time for GP processing, but
would blocking icmp's have any adverse affects on clients?
I only ask because my corp blocks icmp's on all our
vlans and i get a lot of event id 1000 from Usernev with error code of 59
which when i looked up, refers to network connectivity issues. i think this
event id is related to the fact we block icmp packets and i was wondering if
thats something i should worry about in a win2k network.
Thanks
>
>
>
>
>
>
>
>
>