Geekly Articles each Day

Failover Windows based print server


This admin can sleep only when he has everything backed up, monitored and duplicated. Or when he works in a good team, where you can always blame the other.
It so happened that I mainly use Microsoft products in my work and I can say that the company is serious about backing up its services: Active Directory, Exchange DAG, SQL Always On, DFSR, etc. As elsewhere, there are both very elegant and successful implementations, as well as obviously uncomfortable and heavy ones. There is also a solution for the print service, but Hyper-V based clustering is required for it. And I wanted a simple out-of-box solution that does not require additional finance. Windows 2012 R2 was taken as a basis, but most likely the same scheme will work without any problems on any server versions starting from Windows 2008, and even client OS from Vista and higher (hello lovers to save the budget!). Who cares - I ask under the cat.

Disclaimer
In order to respect the work of the Indians. Since the audience of Habr is mostly Russian-speaking and it is easier for novice admins, the examples use the Russian version of the Windows interface. Links, where possible, also lead to Russian-language resources.


Some theory


Whoever doesn’t like theory and wants to quickly click the mouse and keyboard, can immediately move on to the next part.
As mentioned above, the official recommendation today is a solution using clustering and virtualization Hyper-V. Also, nothing prevents to provide fault tolerance of the print service at the level of virtualization, and not necessarily Hyper-V, but such solutions cost money.
I really wanted something similar to DHCP Failover , but for the role of the print server.
On the Internet in general and in particular, nothing suitable was found - and I had to invent it myself.

The essence of the idea in one paragraph
The solution described below is based on the use of the BrintBrm utility, included in the standard Windows distribution and replaced by printmig .
The backup server works in standby mode and synchronizes the settings with the main server with the specified server using this utility. For client machines in DNS, a CNAME with a small TTL is created that refers to the main server. In the event of a primary server crash, the administrator rules CNAME, switching clients to the backup server. That's all.
If the topic is interesting and I want to get acquainted with the cones already stuffed with me and ways to bypass the rake, please follow this further.

Before you begin, or what you need to know about PrintBrm


So, what is it, this utility PrintBrm, the main purpose of which is to serve the print server?


I admit that I undeservedly bypassed some features. Perhaps in Windows 10/2016 she began to behave differently. If there is information, please share.

Environment preparation


It is assumed that you have already deployed Active Directory and you know at least 3 ways to disable it and at least 2 of them have been tested in practice.

Some lyrics
Departing from the topic of the article, I note that I like the order, and I support the fact that each network printer and multifunction printer has a label corresponding to its network name. This simplifies the work of IT staff when they are trying to find out from the user which particular photo printer seals important analytical reports are printed in poisonous acid tones instead of soft pistachio. It is better to glue such stickers to the bottom of the printer, so that everyone would be more interesting and more fun.
I also like it when every network printer is registered in the internal DNS zone. This task is easily handled by a Windows-based DHCP server.
For example, the printer name can be in the format msk-prn001 or sale-printer023, and the port names for these printers on the print server are named the same. But this is my personal preference, ready to listen to objections in the comments.

We will assume that all printers are networked and are available for printing from the main and backup print servers. Let these servers be called prn-srv01 and prn-srv02 respectively.
As a print server, suitable domain machines on a Windows Server are not lower than 2008. In principle, suitable client OS, starting with Vista, if you really really want to save. The example uses Windows 2012 R2. Before setting up, it is highly recommended to install all necessary operating system updates both on servers and client machines.

Of course, you yourself understand, but the cap still needs to pay attention: if the print servers are virtual, then they must be distributed to different physical servers, otherwise our failover will turn into just fail.

A print server role should be added to prn-srv01 and prn-srv02 . I prefer to use the PowerShell cmdlet for this:
Install-WindowsFeature Print-Services

Also on the print servers, a registry tweak must be applied, which fixes the error 0 × 00000709 when client machines access the print server using CNAME. You can do this with a command from the article at the link above:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Print /v DnsOnWire /t REG_DWORD /d 1
After applying the command, you must restart the Print Manager service.
I recommend to allocate a separate OU for print servers and distribute this setting using GPP .

Run the DNS snap-in on the domain controller and enable advanced mapping:
cry


Extended mapping is needed to be able to set the TTL for the entries being created.
In DNS, we create a CNAME print entry that references prn-srv01 with a 5-minute TTL value:
cry


cry


This name must be used by client machines to connect to the print server. Those. the client will connect to the addresses \\ print \ printer01, \\ print \ printer02, etc.
The smaller the TTL value, the more often customers will update the record and the faster they will “understand” that they need to switch to another print server. 5 minutes is enough for me.
If you set too low a value, you generate DNS traffic in your network, and if you specify an hour or two, you will emphasize your stress resistance and strong nerves .
Alternative way to add CNAME records using PowerShell:
Import-Module DnsServer
Add-DnsServerResourceRecordCName -Name "print" -HostNameAlias "prn-srv01.lab.net" -ZoneName "lab.net" -TimeToLive 00:05:00

(Of course, lab.net is changing to your contoso.local or whatever it is)

It should be noted that if you have several AD sites, then updating the DNS records in all locations will take longer due to intersite replication. You can force a process with the repadmin / syncall command .

Using Group Policy, we allow ordinary users to install drivers from a print server. How to do this, is written in detail here .

Create a service account in AD (I called it svc-printsync) with an unlimited password:
cry


According to the requirements of PrintBrm, this account must have full rights to the print server, so we add it to the admin-domain so that everything works and write the password in the description field, so as not to forget the Administrators local group on prn-srv01 and prn-srv02 ( for example, using the Computer Management snap -in ).

Configure the first server


If all the necessary printers on the main printer have already been added, then you can go directly to the section on setting up a second server.

Using the Print Management snap-in, we add the necessary printers to the server:
cry


The driver installation wizard will start. It is intuitive, then you will understand. I will pay only attention to the moment with digit capacity.
Since Windows 2012R2 comes only in x64 version, then the drivers must also be x64. If clients with x86 versions of Windows will connect to the print server, do not forget to check the appropriate box:
cry


Some driver kits contain a common inf file for both x86 and x64 systems, while others have a split.

Some more lyrics
Many drivers come in the form of an installer, but, given that these installers put a lot of garbage along with the drivers, I try to follow the “necessary and enough” principle and add drivers manually, as described above.
Also, for the sake of consistency, I strive to use the Universal-version of drivers to the maximum (almost all normal vendors have it). But with him sometimes there can be problems. So, once I met a bug in one of the versions of HP Universal Printing PCL 6, in which a PDF document through EasyPrint in a RDP session was printed mirror from left to right.
You can still look in the direction of v4-drivers .


When all necessary drivers are added, we will be engaged in ports and printers. You can add them manually from the same snap-in, but I recommend creating a CSV file in Excel and feeding it to the PowerShell script. Of course, nothing prevents you from using any other spreadsheet editor or notepad instead of Excel. The main thing is that the separator and the encoding specified in the script match the separator and the encoding in the CSV file.
Also note that the driver name in the CSV file should be exactly the same as it is specified in the Print Management snap-in.
Copy-paste to help



Sample CSV file



Although I wrote above that I like when all printers have unified network names, in the example (the Printer Address field) a vinaigrette from IP addresses and names is used in case the order in your network is missing will be brought in a little later.

Save this table in CSV format:
cry

Note. Despite the fact that commas are specified as separators in the “File type” field, Excel has a semicolon for me as an Excel separator. Likely to make it more interesting and more fun.

But the script itself:
CreatePrintersFromCsv.ps1
 #    $InputFile = 'C:\Scripts\Printers.csv' #      CSV- $Printers = (Import-Csv $InputFile -Delimiter ";" -Encoding Default) #          ForEach ($Printer in $Printers) { #       $PrinterName = $Printer.' ' $ShareName = $Printer.'  ' $DriverName = $Printer.' ' $PrinterAddr = $Printer.' ' $Comment = $Printer.'' $Location = $Printer.'' #  Add-PrinterPort -Name $PrinterAddr -PrinterHostAddress $PrinterAddr -SNMP 1 -SNMPCommunity 'public' #  Add-Printer -Name $PrinterName -DriverName $DriverName -PortName $PrinterAddr -Comment $Comment -Location $Location #   Set-Printer -Name $PrinterName -Shared $True -Published $False -ShareName $ShareName }


If a tab character is used as a delimiter in your CSV, then in the script you should set -Delimiter "` t "

Note that if during the operation of the script any printer will be unavailable from the server, then adding it to the print server will take longer (2-3 minutes instead of a few seconds)

The result of the script:
cry



To make sure that everything works at this stage, we add a shared printer from the main print server to any of the client machines using the previously created CNAME (for example, \\ print \ printer01), and try to print something on it. For this purpose, the phrase “Hello, I’ve a piece of paper”, typed in bold Arial with a 200-m size, is best suited.

We configure the second server


Un artista copia, un gran artista roba (Pablo Picasso)

Our prn-srv02 has not yet reached the level of gran artista, so we restrict ourselves to copying. Although ... you can flick of the wrist ...

We create and share at least one printer, otherwise PrintBrm will generate an error. You can make a fake, but it is important not to choose the wrong driver or port. For example, a printer with a Microsoft XPS Document Writer driver or a FILE port: cannot be shared.

Create a simple synchronization script. I prefer PowerShell, but nobody forbids to make a warm tube batch file.

PrintSync.ps1
 #   PrintBrm $ProgramPath = 'C:\Windows\System32\Spool\Tools\PrintBrm.exe' #    $SourceServer = 'prn-srv01' $DestServer = 'prn-srv02' #,   .     , ..  PrintBrm       $ConfigFilePath = 'C:\Scripts\prn-config.printerExport' #    $Arguments = "-s $SourceServer -f $ConfigFilePath -b" Start-process $ProgramPath -ArgumentList $Arguments -Wait -PassThru #    $Arguments = "-s $DestServer -f $ConfigFilePath -r -o force" Start-process $ProgramPath -ArgumentList $Arguments -Wait -PassThru #   Del $ConfigFilePath



Put the script in a secluded place (in the example it's C: \ Scripts ) and create a task in the Scheduler.
We will run from under the previously created svc-printsync account with the highest rights:
cry


Determine the frequency of execution for themselves. I have enough time per day:
cry


On the Actions tab, create a new PowerShell startup action:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
As arguments, set the path to the script with the following parameters:
C:\Scripts\PrintSync.ps1 -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass
cry


The remaining parameters of the task on the tabs Conditions and Parameters are left as default.
When you save the task, you will be prompted for a password for the svc-printsync account . You haven't forgotten it, have you? If you have already forgotten (the article is a long one), then everything was done in vain and life failed to reset it using the ADUC snap-in or other convenient method and enter it already in the description field, so that it is calmer .

Note
The job does not have to be performed on the backup print server. If you have a separate server to run the routine procedures, you can create a task on it. At the same time, the svc-printsync account should have the right to log in as a batch job on this server. By default, the local Backup Operators group has this right, and if this is not changed in your environment, then it is enough to include the service account in the archive operators group of the server on which the task will run.


The first time we start the task manually and wait for it to complete.
For my zoo, where there are about 50 printers of different types, both endangered and recently withdrawn, the synchronization procedure takes about 10 minutes. The file weighs almost 1GB.
To speed up the import / export process, you can use the -NOBIN switch , which is responsible for copying drivers. It makes sense when the park of printers consists of the same models and the necessary drivers are installed on all servers.

After completion, launch the Event Viewer snap- in , go to the Applications and Services Logs section, open the Microsoft \ Microsoft \ PrintBRM \ Administrator log and analyze it for errors and warnings. And if there are too many of them, then we most likely clean the magazine so that the eyes do not get corns.

I came across with codes 20, 22, 80 and 81. For example,
such


As is clear from the text, there was a problem when transferring a specific driver. Looking through the magazine, we compile a list of problem drivers and put them on the backup server with our own hands, or replace them with others who are not averse to traveling. I only had problems with HP, Kyocera and Konica Minolta, for drivers from other manufacturers there were no errors (maybe because they are better, and maybe because we simply don’t have them).
As a result, you need to achieve the same list of printers on the main and backup servers and the absence of errors and warnings in the logs.

Switch to reserve


Under the sound of axes and the screech of forks, we barricade the door to our office and turn off the telephone. Start the DNS snap-in and edit the CNAME record so that it points to the backup server:
cry


After a while (what did you put in the TTL?), The threatening screams would subside, the client machines would switch to prn-srv02 and the door with the phone could be unlocked .

Come back


If during the restoration of the main server on the backup there were configuration changes that need to be saved, run the synchronization in the other direction. To do this, in the above PrintSync.ps1 script, swap the values ​​of the $ SourceServer and $ DestServer variables . After the transfer of changes, do not forget to return these values ​​back, otherwise all changes in the configuration of printers on prn-srv01 will be mercilessly swept away every night by the evil will of fate.
In the DNS snap-in, we set the print value for the CNAME record to the end node value prn-srv01 - and everything returns to normal.

What is the result?


Stormy applause of the leadership, throwing up the admin on hand, salary increase (the author of the article is an honest 10% of the increase) ...
Well, a few thoughts in the direction of further beauty.

Unfortunately, there are not enough miracles at all, and this solution is not a full-fledged failover. If at the time of the collapse of the main print server there are non-empty print queues, then their contents most likely will sink into oblivion and someone will have to repeat sending to print.

But it will be very convenient to be transparent for users to perform routine maintenance of print servers.
You follow the recommendations of Microsoft?



Fans of automation can go further and create a script that receives the names of servers with a synchronization interval at the entrance and does the rest of the settings itself: creates a service account if necessary, a task in the scheduler, etc.

Monitoring gurus will add monitoring of the synchronization task and errors in the logs.

Fans of digging deeper can think of two-way synchronization in the spirit of AD replication with time tracking changes for each printer. PrintBrm will not help here, but nobody has canceled PowerShell!

Cherry on the cake will automatically install printers on client machines using GPP targeting the AD group. We add the user to the group - and the desired printer arrives. True, this is another story that goes beyond the article.

I hope for someone my publication will be useful. I wish everyone a smaller glitch and wait for questions and suggestions in the comments.

Source: https://habr.com/ru/post/414369/

More articles:


All Articles