ICMP and Group Policy

[Rob Commarota]

We have DCs located at a different site and have blocked
ICMP through our routers to prevent the spread of a
Welchia infection that hit us. Since doing that, we have
noticed that group policies from the DCs at the different
site are no longer applied. Information in the article at

http://archives.neohapsis.com/archives/ntbugtraq/2003-
q4/0043.html

leads me to believe that Windows 2000 needs ICMP in order
to do some of its stuff and I wanted confirmation of
this. The article above lists a fix that involves adding
the following two keys to every computer affected by this:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sys
tem]
"GroupPolicyMinTransferRate"=dword:00000000


Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Syst
em]
"GroupPolicyMinTransferRate"=dword:00000000


and I wanted to know if this was a valid solution.

Thanks.

 

[Alan Wood [MSFT]]

Hi Rob,
That is not the complete solution to the problem. The bottom line is
that Directory Services uses much more than just the registry keys listed
for ICMP traffic. That is basically the slow link detection process. In
anycase, DS uses ICMP Ping request replies for much more than that,
including SMB, LDAP, RPC, and other connections. There is no solution
other than enabling ICMP between DC's and clients.

Thank you,

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.