Microsoft KB Archive/300896

= Windows 2000 Cluster Service Does Not Publish Clustered Printers in Active Directory =

Article ID: 300896

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q300896



SYMPTOMS
The Cluster service supports the clustering of printer resources to provide highly-available printers to users. The Cluster service is not Active Directory aware and because of this, it does not use Kerberos authentication. If the Cluster service is required to interact with Active Directory, it must do so by using an anonymous (null) connection. If the Cluster service is unable to do this, access is not allowed. When clustered printers are published to Active Directory, they may not be registered properly, and because of this, may not be returned on a search (depending on the choices that are made during the Dcpromo.exe process).



CAUSE
The Cluster service must be allowed anonymous (null) access to the Active Directory to be able to publish clustered printers in the Active Directory. If the &quot;Permissions compatible with pre-Windows 2000 servers&quot; option is not selected during the Dcpromo.exe process for installing and configuring a domain controller (DC), the Everyone group is not 'nested' in the &quot;Pre-Windows 2000 Compatible Access&quot; built-in group. This effectively disallows anonymous (null) connections to the Active Directory, and prevents the Cluster service from publishing printers to the Active Directory. In a network trace of the behavior, the ldap AddRequest for the printer is noticeably absent, but all other ldap traffic is normal. Printers can still be defined locally on the node and published to the Active Directory. The failure occurs when the cluster virtual_server_name is used to publish the printers.

The following sample is a sample frame for an ldap AddRequest for publishing a printer to the Active Directory by using the cluster virtual server name.

NOTE: The virtual_server_name is associated with the cluster node (computer account) that the printer is initially configured on. TCP: .AP..., len: 337, seq:2731014096-2731014433, ack: 315560005, win:16820, src: 1391  dst:  389 LDAP: ProtocolOp: AddRequest (8) LDAP: MessageID = 158 (0x9E) LDAP: ProtocolOp = AddRequest LDAP: Object Name = CN=DELLPRINTSRV-HP4SI,CN=DELLNODEA,CN=Computers,DC=cluster,DC=co LDAP: Attribute Type = uNCName LDAP: Attribute Value = \\DELLPRINTSRV.cluster.com\HP4SI LDAP: Attribute Type = versionNumber LDAP: Attribute Value = 4 LDAP: Attribute Type = serverName LDAP: Attribute Value = DELLPRINTSRV.cluster.com LDAP: Attribute Type = shortServerName LDAP: Attribute Value = \DELLPRINTSRV LDAP: Attribute Type = printerName LDAP: Attribute Value = HP4SI LDAP: Attribute Type = objectClass LDAP: Attribute Value = printQueue The following sample is a sample frame for an Active Directory search request for the same printer that was previously added in the preceding sample: LDAP: ProtocolOp: SearchRequest (3) LDAP: MessageID = 61 (0x3D) LDAP: ProtocolOp = SearchRequest LDAP: Base Object = DC=cluster,DC=com LDAP: Scope = Whole Subtree LDAP: Deref Aliases = Never Deref Aliases LDAP: Size Limit = No Limit LDAP: Time Limit = No Limit LDAP: Attrs Only = 0 (0x0) LDAP: Filter LDAP: Filter Type = And LDAP: Filter Type = Not LDAP: Filter Type = Equality Match LDAP: Attribute Type = showInAdvancedViewOnly LDAP: Attribute Value = TRUE LDAP: Filter Type = Present LDAP: Attribute Type = uncName LDAP: Filter Type = Equality Match LDAP: Attribute Type = objectCategory LDAP: Attribute Value = printQueue LDAP: Filter Type = Substrings LDAP: Attribute Type = printerName LDAP: Substring (Initial) = hp4si LDAP: Attribute Description List LDAP: Attribute Type = objectClass LDAP: Attribute Type = printerName LDAP: Attribute Type = location LDAP: Attribute Type = driverName LDAP: Attribute Type = serverName LDAP: Attribute Type = description LDAP: Controls LDAP: Domain Scope Control LDAP: Criticality = 0 (0x0) LDAP: Paged Control LDAP: Criticality = 255 (0xFF) LDAP: Page Size = 64 (0x40) The following response is the response to the preceding request for the printer: LDAP: ProtocolOp: SearchResponse (4) LDAP: MessageID = 61 (0x3D) LDAP: ProtocolOp = SearchResponse LDAP: Object Name = CN=DELLPRINTSRV-HP4SI,CN=DELLNODEA,CN=Computers,DC=cluster,DC=co LDAP: Attribute Type = driverName LDAP: Attribute Value = HP LaserJet 4Si MX         LDAP: Attribute Type = location LDAP: Attribute Value = Dell Cluster LDAP: Attribute Type = objectClass LDAP: Attribute Value = top LDAP: Attribute Value = leaf LDAP: Attribute Value = connectionPoint LDAP: Attribute Value = printQueue LDAP: Attribute Type = printerName LDAP: Attribute Value = HP4SI LDAP: Attribute Type = serverName LDAP: Attribute Value = DELLPRINTSRV.cluster.com LDAP: MessageID = 61 (0x3D) LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Success LDAP: Controls LDAP: Paged Control LDAP: Criticality = 0 (0x0) LDAP: Page Size = 0 (0x0)



RESOLUTION
To resolve this problem, the Everyone group must be added to the &quot;Pre-Windows 2000 Compatible Access&quot; built-in security group. To add the Everyone group, run the net localgroup &quot;Pre-Windows 2000 Compatible Access&quot; everyone /add command from a command prompt. Note that you must type this command exactly as it appears, including the quotation marks. The quotation marks are necessary because the target group name contains spaces.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
For additional information about the permissions choices that are available during the Dcpromo.exe process, click the article number below to view the article in the Microsoft Knowledge Base:

257988 Description of Dcpromo Permissions Choices

Keywords: kbprint kbsysadmin kbprb kbauthentication kbacl KB300896

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.