Make Print Spooler and DHCP services Redundant?
Looking to get our print Spooler and DHCP redundant/Failover. The Spooler currently Spools to about 25 Printers DHCP and the Spooler are installed on a Primary AD DC. We have About 120 users. Servers are Windows Datacenter 2022. The AD DC is one of 2 at this Location. Looking at Windows Server Failover Clustering, it looks like I can install WSFC on a AD DCs and then Add the Print Spooler to the cluster. (Yes, loosing the original \\host\share) My 2 Questions are: 1) WSFC on DCs is Supported, though Wanted real World experience. Is this fine? I dont want to have to spin up 2 more VMs to just maintain printing. Is this a good way to do redundant Print Spooling? 2) DHCP has its own built in Failover as you can tie it to another DHCP server and make them function as one. Is the built in failover Better than adding DHCP as a WSFC Resource? Thank you, Scott<-
Microsoft's PrintNightmare update is causing a lot of problems with network printers
Dears, the latest Windows updates is causing a lot of problems with network printers mapped on a print server. Reference: https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872 https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25 The two recent patches (KB5004945, KB5004760, or KB5003690) causes these two main problems: 1) unable for users without administrative rights to install new print drivers. The end user receive this error 2) unable to use the print server with the new registry key RpcAuthnLevelPrivacyEnabled **The system logs reports this error: 0x0000011b** The two workarounds that you have to apply to survive and allow corporate users to be able to use the print server are: 1) Even if you have a GPO with "Point and Print Restrictions=disabled", you have to apply this registry key to allow non administrative users to install the latest print drivers from the print server HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint RestrictDriverInstallationToAdministrators = 0 2) Apply this registry key to disable the new default settings related to the print spooler vulnerabilities HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print RpcAuthnLevelPrivacyEnabled = 0 The above workarounds are only a temporary solution to survive and allow users to print. What is unclear to me is what should be the right way to manage these settings in a corporate environment without any end user interaction. So, if I want to be protected and apply the recent security fixes without asking the end users to do something, what should I do? Microsoft states that you need to set "RpcAuthnLevelPrivacyEnabled" to "1" on both Client and Print Server in order to be protected, but if you do this, you can't print. So, what should we do in a Corporate environment to be secure and print without any end user interaction about "driver installation" etc.? Thanks in advance
Updated printer driver on server does not update properly on all clients
Hey community We just did an update of the print driver on all our print servers. Most clients downloaded and installed the driver just fine. Some clients had a problem though. The printer queues were still mapped, users were able to print, but the properties dialog was not the one of the driver but most likely the standard MS dialog. After removing all queues and deleting the driver package locally, the printers connected again and downloaded the driver without issues. Any idea on where to look here?
