Ping Failure, but resolves name to IP 1

[awise]

Windows 2000 ADUC

I started an assignment to clean up old computer accounts and noticed that there were several accounts that had the following attributues;

First, these accounts were live, physical systems in use.
Single Forest, single domain, single subnet, DHCP
I could not ping these accounts by either name or ip.
The ping test by name would resolve to the correct IP when you would run IPCONFIG from that specified system
However, I could remote access into these systems from my own.
The users of these systems have not reported any issues or help desk requests. As far as I can tell, everything is accessible from these stations and the users are functioning completely.

There are also computer accounts that are no longer active,
that can not be pinged, but the ping by name ersolves to an IP, even though this system is no longer physically attached to the network. I would have deleted the account out of ADUC, but the live systems in use also failed the
ping test by name while resolving to an IP.

Why would this happen? Would flushing the local DNS, that our DC does act as our DNS server, remedy the sitaution where old computer accounts no longer on the network are failing the ping test, as they should, but the computer name is still resolving to an IP?

Appreciate any thoughts and suggestions.

zaw

 

[chipk]

If your clients are XP, the firewall is probably on. Other possibilities...maybe blocking ICMP?

For the computers that are no longer active, take a look at your aging/scavenging settings in DNS. Read up on this in the Help so you understand exactly what will happen when you enable this.

 

[Tyras]

Yes, normally anytime i am unable to ping but do get a DNS resolution, 9 out of 10 times it's a firewall issue.

Tyras

 

[edsyn]

I had exactly the same issue , by disabling WINXP firewall you should fix the problem .

 

[ShackDaddy]

In the first case, you have XP systems are running DHCP, so they automatically register their names in DNS and thus the pings by name resolve to IPs. But then the XP firewall blocks the ping.

In the second case, the computers may not exist anymore, but their entries on your DNS server still do. Check the Forward Lookup Zone on your DNS server for those computer names, and then check the Reverse Lookup Zone for your subnet to see if there are IP's that are configured to resolve to the names in question. If you delete the items from both places, once the caches clear, you shouldn't be able to ping those missing computers by name.

Removing the old computer accounts from the ADUC would not have an effect on what records my be in the DNS zone for them. If the records were automatically created for those old computers by DHCP's DNS registration service, the records usually expire over time, but they may have been hardcoded into DNS at one point, so it would be worth looking for them and removing them if you want.

The long and short of it: a name resolving to an IP is usually a function of your DNS server (and sometimes even your WINS server), not whether the computer actually exists or not. I wouldn't ever use it as a test for existence.

ShackDaddy