none
Migrated to 2012 - No One Can Print Now! RRS feed

  • Question

  • Hello,

    We have been in the process of migrating off of 2003 domain controllers to 2012.  Last week we started up the 2012 servers and added them to the domain as member servers.  Because we are a small domain (2 sites with about 20 printers in all), we manually added the printers to each 2012 server and connected everyone to the 2012 printer shares.  Everyone had been printing fine without any issues

    Over the weekend, we migrated off of a Windows 2003 domain and prompted the 2012 servers to DCs.  We made sure to transfer roles (PDC, etc) to the new 2012 server, DNS and DHCP. 

    Ever since then, printing has been a nightmare.  In the Admininstrative Events log we keep seeing stop errors:

    Installing printer driver - failed, error code 0x0, HRESULT 0x80070490. See the event user data for context information.

    The document Print Document, owned by BabC, failed to print on printer AcctLJ1. Try to print the document again, or restart the print spooler.
    Data type: RAW. Size of the spool file in bytes: 2239. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: SysAcct1. Win32 error code returned by the print processor: 5. Access is denied.

    The ONLY changes have been making the 2012 servers domain controllers and making the domain a 2012 level domain.  I've searched the net for this issue but have not found anything that resolves this issue.  Thanks in advance.

    Monday, February 6, 2017 6:18 PM

Answers

  • Hi,

    Is the domain controller your print server?

    If you promoted the print server, you will need to reconfigure the security of the spool directories.  DCPROMO changes these so only admins can print.

    If you can setup a VM on the DC for your print server, this will be a better configuration.


    Alan Morris formerly with Windows Printing Team

    Monday, February 6, 2017 10:57 PM
    Answerer

All replies

  • Hi,

    Is the domain controller your print server?

    If you promoted the print server, you will need to reconfigure the security of the spool directories.  DCPROMO changes these so only admins can print.

    If you can setup a VM on the DC for your print server, this will be a better configuration.


    Alan Morris formerly with Windows Printing Team

    Monday, February 6, 2017 10:57 PM
    Answerer
  • Hi,
    Agree with Alan, generally, it is not suggested to install other roles on a domain controller, except for DNS, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime. Ideally, a DC should be easy to replace, just by standing up another DC. When you put other software and roles on a DC, you make it harder to replace it.
    Please have a try to move printers into other member servers and see if they are working well.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, February 7, 2017 7:58 AM
    Moderator
  • Thank you both.

    Yes - Both DC's are also acting as print servers.  I read a few articles on Microsoft's website and didn't see anything that indicated a DC should not or could not be used as a print server as well.  

    I checked the c:\windows\system32\spool folder and sub directories on the DCs and the USERS group has read/execute access to it and all sub directories.  Do users need more than READ to this folder?

    Do you think removing PRINT and DOCUMENT SERVICES (PRINT SERVER) and then adding it back will adjust the security on the folders for me so all domain users can print?

    Thanks again.


    • Edited by NickJax Tuesday, February 7, 2017 2:19 PM
    Tuesday, February 7, 2017 1:57 PM
  • Hi,

    The suggestion is based on the experience of most people, however, if you configure every settings well and maintain the server well, you could put other roles on domain controller.

    In addition, you could compare the security permission settings with a printer server which is not installed on DC and then adjust the one which is on the DC.

    Please always test it firstly before deploying it in the production environment.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 10, 2017 2:05 AM
    Moderator