none
Print Server Problem After DCPromo RRS feed

  • Question

  • Hi all,

    I'm not sure if this belongs in the print/fax forum or the directory services forum. I guess it could be either...

    We've had a Windows Server 2008 R2 server running for a while at a branch office. We never made it a domain controller due to some old incompatible Samba servers on the network. We recently retired the last of the incompatible servers, so I promoted the Windows server to be a domain controller and global catalog, to improve performance and reduce WAN traffic to the branch office.

    DCPromo was successful. DNS is working well. Users are able to authenticate, connect to shares etc. However, all of the users print queues stopped working.

    We create local printer ports on our workstations that point to the shared printers on the Windows server. This gives us more flexibility, in that we can rename the queues on the workstation and create multiple queues pointing to the same printer with different preferences (e.g. B&W and Colour queues). After the DC promotion, these queues started to fail with Access Denied messages.

    Users are able to browse to the printer shares and can even connect and print to them as remote printers, but when we try to create a local port that points to the share, we get access denied.

    Any suggestions would be most appreciated.

    Thanks,

    Pete


    Friday, September 7, 2012 5:05 PM

Answers

All replies

  • I'd say the security is different when the machine is a DC.  I do know that there are directory security changes to c:\windows\system32\spool\printers when the machine is a DC.  Compare the ACLs from a stand alone for user accounts as a start.


    Alan Morris Windows Printing Team

    Friday, September 7, 2012 5:12 PM
    Answerer
  • I would tell like Alan, a security issue surelly come into play.

    I guess all those computer are domain-joined with user that are local admin rigth to test ? If so, add a test user to the print operator's group to see if the behavor change, when you DC's promo all local user database get lost.

    If they are not local admin, you can give more rigth so they can add a local port in the computer. That explain why that work when they connect via  the printserver, but not when they try to create a printer port. 


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Friday, September 7, 2012 5:43 PM
  • Thank you for the suggestions, Alan and Yagmoth555.

    Sorry, I forgot to mention in the original post, all workstations are joined to the domain. All users are members of Domain Admins and are local administrators on their own workstations.

    I will check the permissions on c:\windows\system32\spool\printers and I will experiment with adding users to the Print Operators group and see how that goes.

    Could it be a group policy? Obviously, the server would move to the Domain Controllers OU and the Default Domain Controller GPO would take effect..

    Thanks again,

    Pete

    Friday, September 7, 2012 6:07 PM
  • I will test out in my lab, give me some time. I found that strange that they are Domain Admin, and you get that error in the workstation. They can format the computer, erase your AD, restrict to not receive any GPO, etc..  but they can't add a printer port ? Thats strange. UAC removed (at the minimum) if it's a win7 workstation ?

    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/



    Friday, September 7, 2012 7:03 PM
  • I will test out in my lab, give me some time. I found that strange that they are Domain Admin, and you get that error in the workstation. They can format the computer, erase your AD, restrict to not receive any GPO, etc..  but they can't add a printer port ? Thats strange. UAC removed (at the minimum) if it's a win7 workstation ?

    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/



    Sorry, that was a typo - they are Domain Users but local admins ><
    Friday, September 7, 2012 7:29 PM
  • Ok, I will look like a newbie, but how you add a local printer to use the other printer connection ? I'am testing it, and in my port listing I don't see anything like \\ps\printer.


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Friday, September 7, 2012 7:38 PM
  • Ok, I will look like a newbie, but how you add a local printer to use the other printer connection ? I'am testing it, and in my port listing I don't see anything like \\ps\printer.


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Add a Printer -> Add a Local Printer -> Create a new port -> Local Port -> Enter a port name \\server\share 

    Friday, September 7, 2012 7:41 PM
  • Thanks :-)

    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Friday, September 7, 2012 7:45 PM
  • I confirm it's surelly a restricting GPO. The default domain gpo never got changed, except for small stuff like password restriction.

    Iam logged as a domain admin on a member server and it work good to add the port like that. (Printer shared on a DC too).

    processmonitor on the workstation to see where the access denied happen ?


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/


    Friday, September 7, 2012 7:49 PM
  • Comparing the permissions of c:\windows\system32\spool\printers between a member server and the promoted DC, I see:

    Member server: SERVER\Users - Special Permissions

    Promoted DC: DOMAIN\Users - Read & execute, List folder contents, Read

    I can't see what the "special permissions" are on the member server.

    Friday, September 7, 2012 7:55 PM
  • I confirm it's surelly a restricting GPO. The default domain gpo never got changed, except for small stuff like password restriction.

    Iam logged as a domain admin on a member server and it work good to add the port like that. (Printer shared on a DC too)


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Thank you for looking into this for me, Yagmoth555.

    Now I need to figure out which setting in the GPO is causing it - I have several other servers that I want to promote but they have more users and I don't want to re-map all of their printers :)

    Friday, September 7, 2012 8:02 PM
  • A quick help, as the error come in the workstation, run processminotor there. (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx)

    You will see where the access denied happen, thus after you can spot what setting block you :)


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Monday, September 10, 2012 12:25 PM