Printing To Printers On Another Domain

Home Forums Client Operating Systems Windows 2000 Pro, XP Pro Printing To Printers On Another Domain

This topic contains 11 replies, has 5 voices, and was last updated by  joeqwerty 11 years, 3 months ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts

  • UKG
    Member
    #127589

    Hi,

    Firstly, sorry if this is in the wrong section.

    We have a requirement for a user to be able to print to printers that are hosted on a server on a different domain to the one the ‘users’ machine is on. The machine is configured for one domain (which we don’t want to change) and they are based in an office of users on a different domain.

    Now, I am sure there should be a way to get to print to the printers, assuming the printer share permissions are ok, right?

    Currently, the user can add the printers OK, and the status is ‘Ready’ but unable to send print job’s to the printers as they just never appear in the print queue and are not printed out.

    The printer permissions were set to to allow ‘everyone’ print access, we tried changing this so only ‘domain users’ could print, and removed the ‘everyone’ entry, thinking that because his machine is on a different domain, when he add’s the printers it should ask him for authentication? but they just add as normal.

    I have tried to add the printer as a local printer and setting up using TCP/IP port using the printers ip address, this produces a slightly different result when printing, the job hit’s the queue but actually fails to print.

    The user in question can ping the printer in question, and they are using a patched Windows XP SP2 machine on a Win 2003 server domain.

    Anyone have any idea’s on what else we can try, this is quite urgent we get this sorted.

    Cheers in advance. :)


    sanvour
    Member
    #217288

    Re: Printing To Printers On Another Domain

    Yeah, do you have trust relationship established between the 2 domains, so you can use the resources of the second domain?.

    That is one thing you need to pay attention to.

    Another thing use the following stradegy AGDLP

    meaning add accounts (A) to global group(G) and add the global group to a domain local group (DL) and give (P) give permissions.

    That way you who ever wants to print should be added to this group.

    I think you know what is Global group and Domain local groups. If not a small search on google will give you the result.

    Update me if you still need help.


    UKG
    Member
    #277878

    Re: Printing To Printers On Another Domain

    sanvour;79490 wrote:
    Yeah, do you have trust relationship established between the 2 domains, so you can use the resources of the second domain?.

    That is one thing you need to pay attention to.

    Another thing use the following stradegy AGDLP

    meaning add accounts (A) to global group(G) and add the global group to a domain local group (DL) and give (P) give permissions.

    That way you who ever wants to print should be added to this group.

    I think you know what is Global group and Domain local groups. If not a small search on google will give you the result.

    Update me if you still need help.

    Hi,

    The user is not setup on the ‘other domain’ in active directory, is this what you mean? – How do I add the user account to global group etc, is that what you mean?

    Thanks


    sanvour
    Member
    #217289

    Re: Printing To Printers On Another Domain

    First a trust relationship needs to be craeted.
    Domain 2 needs to trust domain 1, that way users in domain 1 can use the rescources of domain 2.

    Then you need to create a group (from active directory snap in), you are given the chance to either choose global group or domain local group.

    In domain 2 create a domain local group and add the global group that you created (Containing the user from domain 1) and give permission to the domain local group created to print.

    Rule of thumb when you are dealing with groups:

    Membership Scope

    – DLG User and group from same Forest (MemberShip opposite to its name Domain Local) Same domain (Scope same as the name Domain local)

    – GG Same Domain (Membership opposite to its name Global group) Forest (Scope same as the name Global Group)

    Domain Local Groups are usually used to assign permissions to groups
    and or users to use a specific resource such as a printer or share.
    They have scope only within that domain.

    http://kb.iu.edu/data/ahrl.html
    http://technet2.microsoft.com/windowsserver/en/library/1b3070ce-c6b1-4849-ae47-ce17bbec17ee1033.mspx?mfr=true


    joeqwerty
    Moderator
    #299632

    Re: Printing To Printers On Another Domain

    When you configured the printer locally using TCP/IP you said the job “hits the queue”. What do you mean? Can you see the job at the printer or are you referring to the print spooler on the local machine? Have you verified that you are using the correct printer driver and ip address? Are the two devices on the same subnet? If not, does the printer have a default gateway or route set up in order to reach the local machine’s subnet? (Presumably so, since you said that you can ping the printer). Does the local machine have a default gateway or route to reach the printer subnet? While it’s true that you could create a domain trust for resource sharing it’s certainly not required unless you want to add the printer to the machine through AD or through a print server in the other domain. Printing directly to the printers ip address does not require a domain trust as the printer itself doesn’t know AD from Joe Scmoe. I would work on solving the printing directly to the ip address problem first and then re-evaluare whether or not you need to set up a domain trust for further resource sharing.


    sanvour
    Member
    #217290

    Re: Printing To Printers On Another Domain

    Yeah, but trusting the domains will give a way to share resources in the future if the need arise. We can not predit the needs in the future, the administration are always greedy in new requirements.


    biggles77
    Spectator
    #207336

    Re: Printing To Printers On Another Domain

    Any of you guys ever heard of WINS? Trust relationships, bah! :mrgreen:


    joeqwerty
    Moderator
    #299641

    Re: Printing To Printers On Another Domain

    Not to sound rude, but he said that he created the printer locally and created a TCP/IP port to print directly to the printer and it didn’t work so WINS, DNS, and Domain Trusts have nothing to do with his problem at the moment.


    sanvour
    Member
    #217293

    Re: Printing To Printers On Another Domain

    Joe, as I think he mentioned something like, he was able to connect to the queue but was not able to see the status of the queue. That means permissions and not anymore connecting to the printer.


    joeqwerty
    Moderator
    #299644

    Re: Printing To Printers On Another Domain

    Maybe we should ask for some clarification from the original poster. My understanding from reading the post was that he tried printing directly to the printer through a locally installed printer and TCP/IP port and couldn’t get it to work. When he said he saw the job in the queue I took that to mean the local print queue, but maybe I misunderstood. Hopefully he will post more details for us.


    Rems
    Moderator
    #226503

    Re: Printing To Printers On Another Domain

    Quote:
    – the user can add the printers, status is ‘Ready’
    – unable to send print job’s
    they just never appear in the print queue
    – and are not printed out.

    Since two or more Active Directory domains within the same forest are implicitly connected by two-way, transitive trusts, – authentication requests made from one domain to another are successfully routed in order to provide a seamless coexistence of resources across domains. Users can only gain access to resources in other domains after first being authenticated in their own domain.

    “Best practices for controlling access to shared resources across domains”
    – create a global group in his/her domain and make himher member of that group.
    – In the printers domain create a domain local group, and add the global group to this group.
    – Assign the required permissions on the printer to the domain local group.

    http://technet2.microsoft.com/windowsserver/en/library/e36ceae6-ff36-4a1b-9895-75f0eacfe94c1033.mspx?mfr=true

    Rems


    biggles77
    Spectator
    #207344

    Re: Printing To Printers On Another Domain

    joeqwerty;79620 wrote:
    Not to sound rude, but he said that he created the printer locally and created a TCP/IP port to print directly to the printer and it didn’t work so WINS, DNS, and Domain Trusts have nothing to do with his problem at the moment.

    Not rude at all. I think we are all interperating the problem differently as we do not have sufficient information and each see the problem from their own perspective (I certainly did).

    Maybe UKG could reply with a lot more info.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.