Announcement

Collapse
No announcement yet.

Printing To Printers On Another Domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Printing To Printers On Another Domain

    Hi,

    Firstly, sorry if this is in the wrong section.

    We have a requirement for a user to be able to print to printers that are hosted on a server on a different domain to the one the 'users' machine is on. The machine is configured for one domain (which we don't want to change) and they are based in an office of users on a different domain.

    Now, I am sure there should be a way to get to print to the printers, assuming the printer share permissions are ok, right?

    Currently, the user can add the printers OK, and the status is 'Ready' but unable to send print job's to the printers as they just never appear in the print queue and are not printed out.

    The printer permissions were set to to allow 'everyone' print access, we tried changing this so only 'domain users' could print, and removed the 'everyone' entry, thinking that because his machine is on a different domain, when he add's the printers it should ask him for authentication? but they just add as normal.

    I have tried to add the printer as a local printer and setting up using TCP/IP port using the printers ip address, this produces a slightly different result when printing, the job hit's the queue but actually fails to print.

    The user in question can ping the printer in question, and they are using a patched Windows XP SP2 machine on a Win 2003 server domain.

    Anyone have any idea's on what else we can try, this is quite urgent we get this sorted.

    Cheers in advance.

  • #2
    Re: Printing To Printers On Another Domain

    Yeah, do you have trust relationship established between the 2 domains, so you can use the resources of the second domain?.

    That is one thing you need to pay attention to.

    Another thing use the following stradegy AGDLP

    meaning add accounts (A) to global group(G) and add the global group to a domain local group (DL) and give (P) give permissions.

    That way you who ever wants to print should be added to this group.

    I think you know what is Global group and Domain local groups. If not a small search on google will give you the result.

    Update me if you still need help.
    Best regards,
    Mostafa Itani

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Printing To Printers On Another Domain

      Originally posted by sanvour View Post
      Yeah, do you have trust relationship established between the 2 domains, so you can use the resources of the second domain?.

      That is one thing you need to pay attention to.

      Another thing use the following stradegy AGDLP

      meaning add accounts (A) to global group(G) and add the global group to a domain local group (DL) and give (P) give permissions.

      That way you who ever wants to print should be added to this group.

      I think you know what is Global group and Domain local groups. If not a small search on google will give you the result.

      Update me if you still need help.
      Hi,

      The user is not setup on the 'other domain' in active directory, is this what you mean? - How do I add the user account to global group etc, is that what you mean?

      Thanks

      Comment


      • #4
        Re: Printing To Printers On Another Domain

        First a trust relationship needs to be craeted.
        Domain 2 needs to trust domain 1, that way users in domain 1 can use the rescources of domain 2.

        Then you need to create a group (from active directory snap in), you are given the chance to either choose global group or domain local group.

        In domain 2 create a domain local group and add the global group that you created (Containing the user from domain 1) and give permission to the domain local group created to print.

        Rule of thumb when you are dealing with groups:

        Membership Scope

        - DLG User and group from same Forest (MemberShip opposite to its name Domain Local) Same domain (Scope same as the name Domain local)

        - GG Same Domain (Membership opposite to its name Global group) Forest (Scope same as the name Global Group)

        Domain Local Groups are usually used to assign permissions to groups
        and or users to use a specific resource such as a printer or share.
        They have scope only within that domain.

        http://kb.iu.edu/data/ahrl.html
        http://technet2.microsoft.com/window....mspx?mfr=true
        Best regards,
        Mostafa Itani

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Printing To Printers On Another Domain

          When you configured the printer locally using TCP/IP you said the job "hits the queue". What do you mean? Can you see the job at the printer or are you referring to the print spooler on the local machine? Have you verified that you are using the correct printer driver and ip address? Are the two devices on the same subnet? If not, does the printer have a default gateway or route set up in order to reach the local machine's subnet? (Presumably so, since you said that you can ping the printer). Does the local machine have a default gateway or route to reach the printer subnet? While it's true that you could create a domain trust for resource sharing it's certainly not required unless you want to add the printer to the machine through AD or through a print server in the other domain. Printing directly to the printers ip address does not require a domain trust as the printer itself doesn't know AD from Joe Scmoe. I would work on solving the printing directly to the ip address problem first and then re-evaluare whether or not you need to set up a domain trust for further resource sharing.

          Comment


          • #6
            Re: Printing To Printers On Another Domain

            Yeah, but trusting the domains will give a way to share resources in the future if the need arise. We can not predit the needs in the future, the administration are always greedy in new requirements.
            Best regards,
            Mostafa Itani

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Printing To Printers On Another Domain

              Any of you guys ever heard of WINS? Trust relationships, bah!
              1 1 was a racehorse.
              2 2 was 1 2.
              1 1 1 1 race 1 day,
              2 2 1 1 2

              Comment


              • #8
                Re: Printing To Printers On Another Domain

                Not to sound rude, but he said that he created the printer locally and created a TCP/IP port to print directly to the printer and it didn't work so WINS, DNS, and Domain Trusts have nothing to do with his problem at the moment.

                Comment


                • #9
                  Re: Printing To Printers On Another Domain

                  Joe, as I think he mentioned something like, he was able to connect to the queue but was not able to see the status of the queue. That means permissions and not anymore connecting to the printer.
                  Best regards,
                  Mostafa Itani

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Printing To Printers On Another Domain

                    Maybe we should ask for some clarification from the original poster. My understanding from reading the post was that he tried printing directly to the printer through a locally installed printer and TCP/IP port and couldn't get it to work. When he said he saw the job in the queue I took that to mean the local print queue, but maybe I misunderstood. Hopefully he will post more details for us.

                    Comment


                    • #11
                      Re: Printing To Printers On Another Domain

                      - the user can add the printers, status is 'Ready'
                      - unable to send print job's
                      - they just never appear in the print queue
                      - and are not printed out.
                      Since two or more Active Directory domains within the same forest are implicitly connected by two-way, transitive trusts, - authentication requests made from one domain to another are successfully routed in order to provide a seamless coexistence of resources across domains. Users can only gain access to resources in other domains after first being authenticated in their own domain.

                      "Best practices for controlling access to shared resources across domains"
                      - create a global group in his/her domain and make him\her member of that group.
                      - In the printers domain create a domain local group, and add the global group to this group.
                      - Assign the required permissions on the printer to the domain local group.

                      http://technet2.microsoft.com/window....mspx?mfr=true


                      \Rems
                      Last edited by Rems; 7th September 2007, 15:54. Reason: added the quote

                      This posting is provided "AS IS" with no warranties, and confers no rights.

                      __________________

                      ** Remember to give credit where credit's due **
                      and leave Reputation Points for meaningful posts

                      Comment


                      • #12
                        Re: Printing To Printers On Another Domain

                        Originally posted by joeqwerty View Post
                        Not to sound rude, but he said that he created the printer locally and created a TCP/IP port to print directly to the printer and it didn't work so WINS, DNS, and Domain Trusts have nothing to do with his problem at the moment.
                        Not rude at all. I think we are all interperating the problem differently as we do not have sufficient information and each see the problem from their own perspective (I certainly did).

                        Maybe UKG could reply with a lot more info.
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment

                        Working...
                        X