1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ICMP in Active Directory

Discussion in 'Software' started by Phil, Feb 8, 2006.

  1. Phil
    Honorary Member

    Phil Gigabyte Poster

    Something I came across recently which I thought might be useful to some of you guys.

    If you are implementing Active Directory in a secure environment such as a DMZ where the servers have firewalls between them, do not block ICMP between the servers, it breaks Group Policy updates amongst other things.

    After locking down the environment in the project I've been working on for the last couple of months I started to see some real odd behaviour on the DC's and member servers. The DC's started reporting they couldnt see any domain controllers for the domain after being rebooted and the member servers were reporting event ID 1054

    "[size=-1]Windows cannot obtain the domain controller name for your computer network. (<error description>). Group Policy processing aborted. "

    The only refernce from Microsoft I could find talked about the size of the ICMP packets being limited, not if you were totally blocking them. I then came across a post on Neohapsis from a Microsoft representative


    If you're looking for more info on this particular problem do a Google search on "ICMP Ping and Group Policy Update"

    Certifications: MCSE:M & S MCSA:M CCNA CNA
    WIP: 2003 Upgrade, CCNA Upgrade
  2. MarkN

    MarkN Nibble Poster

    Used this when I had to put DC's in a DMZ - I tended to create a seperate forest for the DMZ thus creating a security boundary above layer 3

    Certifications: MCSE NT4\W2K,CNE,CCEA,ASE

Share This Page