Share via


Event ID 28 — AD DS Printer Publishing

Applies To: Windows Server 2008

You can publish printer information to Active Directory Domain Services (AD DS) so that users can search for printers by location or other attributes. Publishing a printer creates a PrintQueue object in AD DS as a child of the print server computer account.

Event Details

Product: Windows Operating System
ID: 28
Source: Microsoft-Windows-PrintSpooler
Version: 6.0
Symbolic Name: MSG_CANT_WRITE_ACL
Message: While attempting to publish the printer to the Active Directory directory service, Windows failed to write an access control list (ACL) on directory service object %1. Error: %2

Diagnose

This error might be caused by one of the following conditions:

  • The location listed in the printer's Location box is incorrect
  • The printer has an incorrect IP address or subnet
  • Group Policy prohibits the publishing of printers
  • DNS is not available
  • The server does not have a computer account in the correct domain
  • AD DS is configured incorrectly
  • The user does not have the Manage Printers permissions

To determine the root cause of this event, perform the procedures in the various sections of this topic until you have identified the cause of the problem, and then perform the appropriate resolution procedure (referenced by section title in each procedure). If there are multiple causes, you might need to continue diagnosing the problem.

Note: If there is an error code listed in the source event, look up the error code in the Win32 error message database, and then determine whether it relates to one of the headings (Resolver titles) listed at the beginning of this topic. If it does, start your troubleshooting session at that Resolver topic. For a complete list of Win32 error messages, see the Microsoft Developer Network (MSDN) Web site (https://go.microsoft.com/fwlink/?LinkId=83027).

The location listed in the printer's Location box is incorrect

To determine whether the location of the printer is specified incorrectly:

  1. Open either the **Print Management **snap-in or the Printers folder in Control Panel.
  2. Right-click the printer you want to publish, click Properties, and then verify that the Location box lists the correct location for the printer.
  3. If it does not list the correct location, see the section titled "Specify the location of the printer".

The printer has an incorrect IP address or subnet

To determine whether the printer has an incorrect IP address or subnet:

  1. If the affected printer is a network printer, physically check it or use the printer configuration Web page to verify that it has an IP address in the same subnet as its site (as specified in the Location field).
  2. If the printer does not have the correct subnet, see the section titled "Renew the printer IP address and subnet".

Group Policy prohibits the publishing of printers

To determine whether Group Policy prohibits the publishing of printers:

  1. Open the Administrative Tools folder, and then open the Group Policy Management Console (GPMC).
  2. In the console tree, expand the appropriate forest, right-click Group Policy Results, and then click Group Policy Results Wizard.
  3. Follow the on-screen instructions, specifying the appropriate computer account for the print server.
  4. After the Group Policy Results Wizard finishes, click the Settings tab.
  5. Under Computer Configuration, click Printers in the Administrative Templates section.
  6. Verify that the status of the Allow printers to be published policy is either Enabled or Not Configured. If the status of the policy is Disabled, see the section titled "Enable publishing of printers in Group Policy".

DNS is not available

To determine whether DNS is available:

  1. Open the Command Prompt window, type nslookup print_server_name (where print_server_name is the computer name of the print server), and then press ENTER.
  2. If the nslookup command fails, see the section titled "Fix DNS server problems".

The server does not have a computer account in the correct domain

To determine if the server has a computer account in the correct domain:

  1. Open the Administrative Tools folder, and then open Active Directory Users and Computers.
  2. Verify that the print server has a computer account in the domain or organizational unit (OU) to which you want to publish the printer. If it does not, see the section titled "Create a computer account for the print server in the appropriate domain".

AD DS is configured incorrectly

To determine if AD DS is configured correctly:

  • On a domain controller in the same domain as the print server, open the Command Prompt window, and then type the following command at the command prompt: Dcdiag /test:connectivity. If any of the Dcdiag tests fail, see the section titled "Fix AD DS problems".
  • If user accounts are in a different domain from the print server computer account, verify that none of the domains uses the Windows 2000 mixed-domain functional level. If any of them do use that, see the section titled "Fix AD DS problems".

The user does not have the Manage Printers permissions

To determine if the user has the Manage Printers permission:

  1. Open either the **Print Management **snap-in or the Printers folder in Control Panel.
  2. Right-click the printer for which you want to set permissions, click Properties, and then click the Security tab.
  3. If the appropriate user or group does not have the Manage Printers permission, see the section titled "Grant the Manage Printers permission to the user or groups".

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

The printer has an incorrect IP address or subnet

Renew the printer IP address and subnet

AD DS is configured incorrectly

Fix AD DS problems

Group Policy prohibits the publishing of printers

Enable publishing of printers in Group Policy

DNS is not available

Fix DNS server problems

The user does not have the Manage Printers permission

Grant the Manage Printers permission to the appropriate user or group

The location listed in the printer's Location box is incorrect.

Specify the location of the printer

The server does not have a computer account in the correct domain

Create a computer account for the print server in the appropriate domain

Renew the printer IP address and subnet

To fix a printer with an incorrect IP address and subnet, do the following:

  • Turn off the printer, and then turn it back on to renew the printer IP address with the Dynamic Host Control Protocol (DHCP) server.
  • Use the printer controls to change the IP address and subnet or to renew the printer IP address with the DHCP server.

Fix AD DS problems

To resolve Active Directory Domain Services (AD DS) problems, do the following:

  • Verify that there is a domain controller available in the same domain as the print server.
  • Resolve any DNS problems that are related to AD DS. For more information, see Active Directory Operations Overview: Troubleshooting Active Directory-Related DNS Problems (https://go.microsoft.com/fwlink/?LinkID=57927).
  • Verify that sites are set up properly in Active Directory and that printer location tracking is properly enabled. For more information, see Troubleshooting common printing problems (https://go.microsoft.com/fwlink/?LinkId=65000).
  • If user accounts are in a different domain from the print server computer account, and any of the domains use the Windows 2000 mixed-domain functional level, consider switching the domain functional levels.
  • Retry publishing the printer.

If you continue to have AD DS problems, you can try the following actions to further diagnose the problem:

  • Using an account that is a member of the Enterprise Admins group, open the Command Promptwindow, and then type dcdiag /e at the command prompt to diagnose the health of the entire AD DS forest. For more information about the dcdiag command, see Dcdiag Examples (https://go.microsoft.com/fwlink/?LinkID=104689).
  • In Event Viewer, connect to one of the affected domain controllers, examine the Directory Service log for possible Error or Warning events, and then click the Event Log Online Help link for each Error or Warning event. This opens a Web browser with additional troubleshooting information pertaining to the specific event.

Enable publishing of printers in Group Policy

To enable publishing of printers in Group Policy:

  1. From the Administrative folder, open the Group Policy Management Console (GPMC).
  2. In the console tree, find the Group Policy object (GPO) that applies to the print server and has the Allow printers to be published policy set to Disabled.
  3. Right-click the GPO, and then click Edit.
  4. Under Computer Configuration, right-click Printers in the Administrative Templates section, and then click Properties.
  5. Select either Enabled or Not Configured, and then click OK.
  6. On the print server, open the Command Prompt window, and then type Gpupdate at the command prompt.
  7. Retry publishing the printer. This action may continue to fail until the GPO replicates to the domain controller that the print server contacts and until the GPO is applied to the print server.

Fix DNS server problems

To resolve DNS server problems:

  1. Restart the DNS Server service on the DNS server. From the Administrative Tools folder, open the Services snap-in, click the DNS Server service, and then click the Restart Service toolbar button.
  2. Retry publishing the printer.

For more information about troubleshooting DNS server problems, see the following Microsoft Web sites:

Grant the Manage Printers permission to the appropriate user or group

To grant the Manage Printers permission to the appropriate user or group:

  1. Open either the **Print Management **snap-in or the Printers folder in Control Panel.
  2. Right-click the printer for which you want to set permissions, click Properties, and then click the Security tab.
  3. Select the appropriate user or group, and then select the Allow check box next to the Manage printers permission.
  4. Retry publishing the printer.

Specify the location of the printer

To specify the location of the printer:

  1. Open either the **Print Management **snap-in or the Printers folder in Control Panel.
  2. Right-click the printer you want to publish, click Properties, and then type the appropriate location of the printer in the Location box.

Create a computer account for the print server in the appropriate domain

To create a computer account for the print server in the appropriate domain:

  1. In the Administrative Tools folder, open Active Directory Users and Computers.
  2. In the console tree, right-click the Computers container or organizational unit (OU) in which you want to place the print server and its print queues, click New, and then click Computer.
  3. Type the computer name, and then click OK.
  4. If you changed the domain to which the print server belongs, use the System tool in Control Panel on the print server to change the domain membership to match the new computer account, and then restart the print server.
  5. Retry publishing the printer. This action may continue to fail until the computer account object replicates to the domain controller that the print server contacts.

Verify

To verify that the printer was successfully published or removed from AD DS, do the following:

  • If the print server logs spooler information events, open Event Viewer and look for Print Spooler Event 36 (when publishing a printer), Print Spooler Event 38 (when removing a printer from AD DS), or Print Spooler Event 40 (when updating a printer).
  • Search AD DS for the printer by using the following procedure:
    1. Open the Printers folder on a computer in the same domain as the print server, and then click Add a printer. The Add Printer Wizard appears.
    2. Select A printer that is not attached to my computer (a network printer), and then click Next.
    3. Click The printer I am looking for is not on this list.
    4. Select Find a printer in Active Directory, based on location or feature, click Next, and then use the Find Printers dialog box to search AD DS for the printer.

AD DS Printer Publishing

Printing Infrastructure