When a network infrastructure includes router-based firewalls, the function of the firewall, which is to silently discard traffic that the firewall has not been configured to forward, can impair specific networking functions. For example, if a firewall between two Microsoft Windows Active Directory directory service domain controllers has not been configured to allow all of the different types of traffic that domain controllers use to synchronize the Active Directory database, replication can fail.
When troubleshooting networking functions and reachability, a common step is to use the Ping tool (Ping.exe) and ping one computer from another. However, the Ping tool uses Internet Control Message Protocol (ICMP) Echo and Echo Reply messages, which is typically not the same traffic being used for the network function that is impaired. The firewalls between the two computers might be allowing ICMP traffic or might be dropping it. In either case, because the network function that is impaired is not using ICMP Echo traffic, the connectivity test with the Ping tool does not provide conclusive diagnostic information about the traffic that is being discarded (dropped) by the intermediate firewalls.
For definitive diagnostic information, you must be able to duplicate the exact type of traffic of the impaired network function using a tool that can report connectivity success or failure. Once you have determined the types of traffic that are being dropped by intermediate firewalls, you can configure the firewalls to forward the dropped traffic to restore connectivity for the impaired network function.
This article describes a set of tools that you can use to test network paths for specific types of traffic and how to use the tools to determine the most common types of traffic that are dropped by firewalls installed in a Windows networking infrastructure.
La suite de l'article sur http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx