Software Update Services

To maintain a secure computing environment, it is critical to keep systems up to date with security patches. Since 1998, Microsoft has provided Windows Update as a Web-based source of information and downloads. With Windows XP and Windows 2000 service pack 3, Microsoft added Automatic Updates, whereby a system automatically connects to Windows Update and downloads any new, applicable patches or “hot-fixes.” Although the Windows Update servers and Automatic Updates client achieve the goal of keeping systems current, many administrators are uncomfortable with either computers or users deciding which patches should be installed, because a patch might interfere with the normal functioning of a business-critical application.

The latest improvements to these technologies deliver Software Update Services (SUS). SUS is a client-server application that enables a server on your intranet to act as a point of administration for updates. You can approve updates for SUS clients, which then download and install the approved updates automatically without requiring local administrator account interaction.

In this lesson you will learn to install and administer SUS on a Windows Server 2003 computer. The following Topic will guide you through issues related to client configuration.

Understanding SUS

Since 1998, Microsoft Windows operating systems have supported Windows Update, a globally distributed source of updates. Windows Update servers interact with client-side software to identify critical updates, security rollups, and enhancements that are appropriate to the client platform, and then to download approved patches.

Administrators wanted a more centralized solution that would assure more direct con­trol over updates that are installed on their clients. Software Update Services is a response to that need. SUS includes several major components:

■ Software Update Services, running on an Internet Information Services (IIS) server  :The server-side component is responsible for synchronizing infor­mation about available updates and, typically, downloading updates from the Microsoft Internet-based Windows Update servers or from other intranet servers running SUS.

■ The SUS administration Web site: All SUS administration is Web-based. After installing and configuring SUS, administration typically consists of ensuring that the SUS server is synchronizing successfully, and approving updates for distribu­tion to network clients.

■ Automatic Updates The Automatic Updates client is responsible for download­ing updates from either Windows Update or an SUS server, and installing those updates based on a schedule or an administrator’s initiation.

■ Group Policy settings Automatic Updates clients can be configured to synchro­nize from an SUS server rather than the Windows Update servers by modifying the clients’ registries or, more efficiently, by configuring Windows Update policies in a Group Policy Object (GPO).

Installing SUS on a Windows Server 2003 Computer

SUS has both client and server components. The server component runs on a Windows 2000 Server (Service Pack 2 or later) or a Windows Server 2003 computer. Internet Information Services (IIS) must be installed before setting up SUS and, as you learned in Chapter 6, “Files and Folders,” IIS is not installed by default on Windows Server 2003. For information about how to install IIS, see Chapter 6.

SUS is not included with the Windows Server 2003 media, but it is a free download from the Microsoft SUS Web site at http://go.microsoft.com/fwlink/?LinkID=6930.

After downloading the latest version of SUS, double-click the file and the installation routine will start. After you agree to the license agreement, choose Custom setup and the Setup Wizard will prompt you for the following information:

■   Choose File Locations Each Windows Update patch consists of two compo­nents: the patch file itself and metadata that specifies the platforms and languages to which the patch applies. SUS always downloads metadata, which you will use to approve updates and which clients on your intranet will retrieve from SUS. You can choose whether to download the files themselves and, if so, where to save the updates.

If you choose the Save the Updates to This Local Folder option, the Setup Wizard defaults to the drive with the most free space, and will create a folder called SUS on that drive. You can save the files to any NT file system (NTFS) partition; Microsoft recommends a minimum of 6 gigabytes (GB) of free space.

■   Language Settings Although the SUS administrative interface is provided in English and a few additional languages, patches are released for all supported locales. This option specifies the localized versions of Windows servers or clients that you support in your environment.

■   Handling New Versions Of Previously Approved Updates Occasionally, an update itself is updated. You can direct SUS to approve automatically updates that are new versions of patches that you have already approved, or you can continue to approve each update manually.

■   Ready To Install Before installation begins, the Setup Wizard will remind you of the URL clients should point to, http://SUS_servername. Note this path because you will use it to configure network clients.

■   Installing Microsoft Software Update Services The Setup Wizard installs SUS.

■   Completing the Microsoft Software Update Services Setup Wizard The final page of the Setup Wizard indicates the URL for the SUS administration site, http://SUS_servername/SUSAdmin. Note this path as well, because you will admin­ister SUS from that Web location. When you click Finish, your Web browser will start and you will be taken automatically to the SUS administration page.

Software Update Services installs the following three components on the server:

■ The Software Update Synchronization Service, which downloads content to the SUS server

■ An IIS Web site that services update requests from Automatic Updates clients

■ An SUS administration Web page, from which you can synchronize the SUS server and approve updates

Configuring and Administering SUS

You will perform three administrative tasks related to SUS: configuring SUS settings, synchronizing content and approving content. These tasks are performed using the SUS Administration Web site, shown in below Figure, which can be accessed by navigat­ing to http://SUS_servername/SUSAdmin with Internet Explorer 5.5 or later, or by open­ing Microsoft Software Update Services from the Administrative Tools programs group. The administration of SUS is entirely Web-based.

Configuring Software Update Services

Although some of the configuration of SUS can be specified during a custom installa­tion, all SUS settings are accessible from the SUS Administration Web page. From the Software Update Services administration page, click Set Options in the left navigation bar. The Set Options page is shown in below Figure.

The configuration settings are as follows:

■ Proxy server configuration If the server running SUS connects to Windows Update using a proxy server, you must configure proxy settings.

■ DNS name of the SUS server In the Server Name box, type the fully qualified domain name (FQDN) of the SUS server, for example, sus1.contoso.com.

■ Content source The first SUS servDer you install will synchronize its content from Microsoft Windows Update. Additional SUS servers can synchronize from Windows Update, from a “parent” SUS server, or from a manually created content distribution point. See the sidebar, “SUS Topology” for more information.

■ New versions of approved updates The Set Options page allows you to mod­ify how SUS handles new versions of previously approved updates. This option is discussed earlier in the lesson.

■ File storage You can modify the storage of metadata and update files. This option is also discussed earlier in the lesson.

■ Languages This setting determines the locale specific updates that are synchro­nized. Select only languages for locales that you support in your environment.

Synchronizing SUS

On the SUS Administration Web page, click Synchronize Server. On the Synchronize Server page, as shown in Below Figure, you can start a manual synchronization or config­ure automatic, scheduled synchronization. Click Synchronize Now and, when synchro­nization is complete, you will be informed of its success or failure, and, if the synchronization was successful, you will be taken to the Approve Updates page.

To schedule synchronization, click Synchronization Schedule. You can configure the time of day for synchronization, as shown in Below Figure, and whether synchronization occurs daily or weekly on a specified day. When a scheduled synchronization fails, SUS will try again for the Number of Synchronization Retries to Attempt setting. Retries occur at 30-minute intervals.

Approving Updates

To approve updates for distribution to client computers, click Approve Updates in the left navigation bar. The Approve Updates page, as shown in below Figure, appears. Select the updates that you wish to approve, then click Approve. If you are unsure about the applicability of a particular update, click the Details link in the update summary. The Details page that opens will include a link to the actual *.cab file that is used to install the package, and a link to the Read More page about the update, which will open the Microsoft Knowledge Base article related to the update.

The Automatic Updates Client

The client component of SUS is Windows Automatic Updates, which is supported on Windows 2000, Windows XP, and Windows Server 2003. The Automatic Updates client is included with Windows Server 2003, Windows 2000 Service Pack 3, and Windows XP Service Pack 1.

For clients running earlier releases of the supported platforms, you can download Automatic Updates as a stand-alone client from the Microsoft SUS Web site,at http://go.microsoft.com/fwlink/?LinkID=6930. The client, provided as an .msi file, can be installed on a stand-alone computer or by means of Group Policy (assign the pack-age in the Computer Configuration\Software Settings policy), SMS, or even a logon script. If a localized version of the client is not available, install the English version on any locale.

The Automatic Updates client of Windows Server 2003 is configured to connect auto­matically to the Microsoft Windows Update server and download updates, then prompt the user to install them. This behavior can be modified by accessing the Automatic Updates tab in the System Properties dialog box, accessible by clicking System in Con­trol Panel, in Windows XP and Windows Server2003. In Windows 2000 click Automatic Updates in Control Panel. The Automatic Updates tab is shown in below Figure. Auto­matic Updates can also be configured using GPOs or registry values.

Download Behavior

Automatic Updates supports two download behaviors:

■   Automatic Updates are downloaded without notification to the user.

■   Notification If Automatic Updates is configured to notify the user before downloading updates, it registers the notification of an available update in the system event log and to a logged-on administrator of the computer. If an administrator is not logged on, Automatic Updates waits for a user with administrator credentials before offering notification by means of a balloon in the notification area of the system tray.

Once update downloading has begun, Automatic Updates uses the Background Intel­ligent Transfer Service (BITS) to perform the file transfer using idle network band-width. BITS ensures that network performance is not hindered due to file transfer. All patches are checked by the SUS server to determine if they have been correctly signed by Microsoft. Similarly, the Automatic Updates client confirms the Microsoft signature and also examines the cyclical redundancy check (CRC) on each package before installing it.

Installation Behavior

Automatic Updates provides two options for installation:

■   Notification Automatic Updates registers an event in the system log indicating that updates are ready for installation. Notification will wait until a local adminis­trator is logged on before taking further action. When an administrative user is logged on, a balloon notification appears in the system tray. The administrator clicks the balloon or the notification icon, and then may select from available updates before clicking Install. If an update requires restarting the computer, Auto­matic Updates cannot detect additional updates that might be applicable until after the restart.

■   Automatic (Scheduled) When updates have been downloaded successfully, an event is logged to the system event log. If an administrator is logged on, a notifi­cation icon appears, and the administrator can manually launch installation at any time until the scheduled installation time.

At the scheduled installation time, an administrator who is logged on will be noti­fied with a countdown message prior to installation, and will have the option to cancel installation, in which case the installation is delayed until the next sched­uled time. If a non-administrator is logged on, a warning dialog appears, but the user cannot delay installation. If no user is logged on, installation occurs automat­ically. If an update requires restart, a five-minute countdown notification appears informing users of the impending restart. Only an administrative user can cancel the restart.

Configuring Automatic Updates Through Group Policy

The Automatic Updates client will, by default, connect to the Microsoft Windows Update server. Once you have installed SUS in your organization, you can direct Auto­matic Updates to connect to specific intranet servers by configuring the registry of cli­ents manually or by using Windows Update group policies.

To configure Automatic Updates using GPOs, open a GPO and navigate to the Com­puter Configuration\Administrative Templates\Windows Components\Windows Update node. The Windows Update policies are shown in Figure 9-7.

The following policies are available, each playing an important role in configuring effective update distribution in your enterprise:

■   Configure Automatic Updates The Configure Automatic Updates Behavior determines the behavior of the Automatic Updates client. There are three options: Notify For Download And Notify For Install, Auto Download And Notify For Install, and Auto Download And Schedule The Install. These options are combina­tions of the installation and download behaviors discussed earlier in the lesson.

■   Reschedule Automatic Updates Scheduled Installations If installations are scheduled, and the client computer is turned off at the scheduled time, the default behavior is to wait for the next scheduled time. The Reschedule Automatic Updates Scheduled Installations policy, if set to a value between 1 and 60, causes Automatic Updates to reschedule installation for the specified number of minutes after system startup.

■   No Auto-Restart For Scheduled Automatic Updates Installations This policy causes Automatic Updates to forego a restart required by an installed update when a user is logged on to the system. Instead, the user is notified that a restart is required for installation to complete, and can restart the computer at his or her dis­cretion. Remember that Automatic Updates cannot detect new updates until restart has occurred.

■   Specify Intranet Microsoft Update Service Location This policy allows you to redirect Automatic Updates to a server running SUS. By default, the client will log its interactions on the SUS server to which it connects. However, this policy allows you to point clients to another server running IIS for statistics logging. This dual policy provides the opportunity for clients to obtain updates from a local SUS server, but for all clients to log SUS statistics in a single location for easier retrieval and analysis of the log data, which is stored as part of the IIS log. IIS logs typically reside in %Windir%\System32\Logfiles\W3svc1.

Automatic Updates clients poll their SUS server every 22 hours, minus a random offset.

Any delay in patching should be treated as unacceptable when security vulnerabilities are being actively exploited. In such situations, install the patch manually so that sys­tems do not have to wait to poll, download, and install patches.

After approved updates have been downloaded from the SUS server, they will be installed as configured—manually or automatically—at the scheduled time. If an approved update is later unapproved, that update is not uninstalled; but it will not be installed by additional clients. An installed update can be uninstalled manually, using the Add Or Remove Programs application in Control Panel.

SUS Troubleshooting

Although SUS works well, there are occasions that warrant monitoring and trouble-shooting.

Monitoring SUS

The Monitor Server page of the SUS Administration Web site displays statistics that reflect the number of updates available for each platform, and the date and time of the most recent update. The information is summarized from the Windows Update meta­data that is downloaded during each synchronization. Metadata information is written to disk and stored in memory to improve performance as systems request platform appropriate updates.

You can also monitor SUS and Automatic Updates using the following logs:

■ Synchronization Log  You can retrieve information about current or past syn­chronizations, and the specific packages that were downloaded by clicking View Synchronization Log in the left navigation bar. You can also use any text editor to open the (Extensible Markup Language) XML–based database (History-Sync.xml) directly from the SUS Web site’s \AutoUpdate\Administration directory in IIS.

■ Approval Log For information about packages that have been approved, click View Approval Log in the left navigation bar. Alternatively, you can open History-Approve.xml from the SUS Web site’s \AutoUpdate\Administration directory in IIS.

■ Windows Update Log The Automatic Updates client logs activity in the %Windir%\Windows Update.log file on the client’s local hard disk.

■ Wutrack.bin The client’s interaction with SUS is logged to the specified statistics server’s IIS logs, typically stored in the folder: %Windir%\System32\Logfiles \W3svc1. These logs, which are verbose and cryptic, are designed to be analyzed by programs, not by humans.

SUS System Events

The synchronization service generates event log messages for each synchronization per-formed by the server, and when updates are approved. These messages can be viewed in the System log using Event Viewer. The events relate to the following scenarios:

■   Unable to connect Automatic Updates could not connect to the update service (Windows Update or the computer’s assigned SUS server).

■   Install ready—no recurring schedule Updates listed in the event were down-loaded and are pending installation. An administrator must click the notification icon and click Install.

■   Install ready—recurring schedule Updates listed in the event are down-loaded and will be installed at the date and time specified in the event.

■   Installation success Updates listed in the event were installed successfully.

■   Installation failure Updates listed in the event failed to install properly.

■   Restart required—no recurring schedule An update requires a restart. If installation behavior is set for notification, restart must be performed manually. Windows cannot search for new updates until the restart has occurred.

■   Restart required—recurring schedule When Automatic Updates is config­ured to automatically install updates, an event is registered if an update requires restart. Restart will occur within five minutes. Windows cannot search for new updates until after the restart has occurred.

Troubleshooting SUS

Software Update Services on a Windows Server 2003 computer may require the follow­ing troubleshooting steps:

■   Reloading the memory cache If no new updates appear since the last time you synchronized the server, it is possible that no new updates are available. However, it is also possible that memory caches are not loading new updates properly. From the SUS administration site, click Monitor Server and then click Refresh.

■   Restarting the synchronization service If you receive a message that the syn­chronization service is not running properly, or if you cannot modify settings in the Set Options page of the administration Web site, open the Microsoft Manage­ment Console (MMC) Services snap-in, right-click Software Update Services Syn­chronization Service and choose Restart.

■   Restarting IIS If you cannot connect to the administration site, or if clients can-not connect to the SUS serve, restart the World Wide Web Publishing Service in the same manner.

If Automatic Updates clients do not appear to be receiving updates properly, open the registry of a client and ensure that the following values appear in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate:

■ WUServer Should have the URL of the SUS server, for example, http: //SUS_Servername

■ WUStatus Server Should have the URL of the same SUS server or another IIS server on which synchronization statistics are logged

And, in the AU subkey:

■ Use WUServer Should be set to dword:00000001

SUS Backup and Recovery

As with any other server role or application, you must plan for recovery in the event of a server failure.

Backing Up SUS

To back up SUS, you must back up the folder that contains SUS content, the SUS Administration Web site, and the IIS metabase.

First, back up the metabase—an XML database containing the configuration of IIS. Using the MMC IIS snap-in, select the server to back up and, from the Action menu, select All Tasks, then Backup/Restore Configuration. Click Create Backup and enter a name for the backup. When you click OK, the metabase is backed up.

Then back up the following using Ntbackup or another backup utility:

■   The default Web site, which is located unless otherwise configured in C:\Inetpub \Wwwroot.

■   The SUS Administration Web site. SUSAdmin is, by default, a subfolder of C:\Inetpub\Wwwroot. In that event, it will be backed up when you back up the default Web site.

■   The AutoUpdate virtual directory, also by default a subfolder of C:\Inetpub \Wwwroot.

■   The SUS content location you specified in SUS setup or the SUS options. You can confirm the SUS content location in IIS manager by clicking Default Web Site and examining the path to the Content virtual root in the details pane.

■   The metabase backup directory, %Windir%\System32\Inetsrv\Metaback, which contains the copy of the metabase made earlier.

This process of backing up the metabase, and then backing up the components of SUS, should be repeated regularly because updates will be added and approved with some frequency.

SUS Server Recovery

To restore a failed SUS server, perform the steps described below. If a certain step is unnecessary, you may skip it, but perform the remaining steps in sequence.

1. Disconnect the server from the network to prevent it from being infected with viruses.

2. Install Windows Server 2003, being sure to give the server the same name it had previously.

3. Install IIS with the same components it had previously.

4. Install the latest service pack and security fixes. If the server must be connected to the network to achieve this step, take all possible precautions to prevent unnec­essary exposure.

5. Install SUS into the same folder it was previously installed.

6. Run NTbackup to restore the most recent backup of SUS. This will include the SUS content folder, the Default Web Site, including the SUSAdmin and AutoUpdate vir­tual directories, and the IIS metabase backup.

7. Open the MMC IIS snap-in and select the server to restore. From the Action menu, select All Tasks, then Backup/Restore Configuration and select the backup that was just restored. Click Restore.

8.Confirm the success of your recovery by opening the SUS Administration Web site and clicking Set Options. Check that the previous settings are in place, and that the previously approved updates are still approved. 

Printers

1. Installing and Configuring Printers

2. Advanced Printer Configuration and Management

3. Maintaining, Monitoring, and Troubleshooting Printers 

Maintaining, Monitoring, and Troubleshooting Printers

Once logical printers have been set up, configured and shared on print servers, and once clients have been connected to those printers, you must begin to maintain and monitor those logical and physical printers. This Topic will give you guidance in the maintenance and troubleshooting of printers in a Windows Server 2003 environment. You will learn to support printer drivers, to redirect printers, to configure performance and utilization logs, and to methodically troubleshoot print errors.

Maintaining Printers

There are no regular maintenance tasks for the print service on a Windows Server 2003 computer. The maintenance tasks defined below are typically performed on a periodic, as-needed basis. Keep in mind that when managing printers, actions may affect an entire printer or all printers on the print server, not just individual print jobs.

Managing Printer Drivers

The first grouping of maintenance tasks relate to drivers on the print server. As men­tioned earlier in the lesson, it is helpful to install drivers for all client platforms that will use a particular shared printer. Windows clients will download the driver automatically when they connect to the printer. Drivers for various platforms are installed by clicking Additional Drivers on the Sharing tab of a printer’s Properties dialog box.

To update drivers for a single logical printer, select the Advanced tab of the Properties dialog box and click New Driver. You will then be able to select additional drivers by indicating the manufacturer and model, or by clicking Have Disk and providing the manufacturer’s drivers.

You can also manage drivers for the print server as a whole. In the Printers And Faxes folder, select Server Properties from the File menu and click the Drivers tab. Here you can add, remove, reinstall, or access the properties of each of the drivers on the print server. Changes made to these drivers will affect all printers on the server.

If you want to list all of the files related to a particular printer driver, open the print server’s Drivers tab select the driver, and click Properties. The names and descriptions of all the files that are part of the specific driver will appear. From this list, it is possible to view details regarding any of the files by selecting the file and then clicking Properties.

Redirecting Print Jobs

If a printer is malfunctioning, you can send documents in the queue for that printer to another printer connected to a local port on the computer, or attached to the network. This is called redirecting print jobs. It allows users to continue sending jobs to the log­ical printer, and prevents users with documents in the queue from having to resubmit the jobs.

To redirect a printer, open the printer’s Properties dialog and click the Ports tab. Select an existing port or add a port. The check box of the port of the malfunctioning printer is immediately cleared unless printer pooling is enabled, in which case you must man­ually clear the check box.

Because print jobs have already been prepared for the former printer, the printer on the new port must be compatible with the driver used in the logical printer. All print jobs are now redirected to the new port. You cannot redirect individual documents. In addition, any documents currently printing cannot be redirected.

Monitoring Printers

Windows Server 2003 provides several methods to monitor printers and printing resources.

Using System Monitor and Performance Logs and Alerts

The System Monitor and Performance Logs And Alerts snap-ins, both of which are included in the Performance MMC, allow you to observe real-time performance of printers, log metrics for later analysis, or set alert levels and actions. To add a counter to System Monitor, right-click the graph area and choose Add Counters. Select the performance object (in this case Print Queue), the desired counters, and the instance representing the logical printer to monitor.

After selecting Print Queue as the performance object, a list of all available perfor­mance counters is provided. You can select any counter and click Explain to learn about that particular performance metric.

The most important performance counters for monitoring printing performance are the following:

■   Bytes Printed/Sec The number of bytes of raw data per second that are sent to the printer. Low values for this counter can indicate that a printer is underutilized, either because there are no jobs, print queues are not evenly loaded, or the server is too busy. This value varies according to the type of printer. Consult printer doc­umentation for acceptable printer throughput values.

■   Job Errors Number of job errors. Job errors are typically caused by improper port configuration; check port configuration for invalid settings. A printing job instance will increment this counter only once, even if it happens multiple times. Also, some print monitors do not support job error counters, in which case the counter will remain at 0.

■   Jobs The number of jobs being spooled.

■   Total Jobs Printed The number of jobs sent to the printer since the spooler was started.

■  Total Pages Printed The number of pages printed since the spooler was started. This counter provides a close approximation of printer volume, although it may not be perfect, depending on the type of jobs and the document properties for those jobs.

Using System Log

Using Event Viewer, you can examine the System log as a source of information regarding spooler and printer activity. By default, the spooler registers events regarding printer creation, deletion, and modification. You will also find events containing informa­tion about printer traffic, hard disk space, spooler errors, and other maintenance issues.

To control or modify spooler event logging, open the Printers And Faxes folder and choose Server Properties from the File menu. Click the Advanced tab to access the properties as shown in Below Figure. From this page, you can control printer event log entries and print job notifications. This is also the tab that enables you to move the print spooler folder an important task when configuring an active print server, or when an existing print spool folder’s disk volume becomes full.

Auditing Printer Access

Printer access, like file and folder access, can be audited. You can specify which groups or users and which actions to audit for a particular printer. After enabling object access auditing policy, you can view resulting audit entries using Event Viewer.

To configure auditing for a printer, open its Properties dialog box, click the Security tab, and then click Advanced. Click the Auditing tab and add entries for specific groups or users. For each security principal you add to the audit entry list, you can configure auditing for successful or failed access based on the standard printer permissions, including Print, Manage Documents, and Manage Printers.

You must then enable the Audit Object Access policy, which is located in group or local policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. After the policy has taken effect, you can examine the Security event log to see and analyze entries made based on printer auditing.

Troubleshooting Printers

Troubleshooting is an important part of printer management. The following guidance will help you understand, identify, and address the types of incidents and problems that may occur in Windows Server 2003 printing.

Remember when troubleshooting that printing includes multiple components, typically:

■ The application that is attempting to print.

■ The logical printer on the computer on which the application is running.

■ The network connection between the print client and the shared logical printer on the server.

■ The logical printer on the server—its spool, drivers, security settings, and so on.

■ The network connection between the print server and the printer.

■ The printer itself—its hardware, configuration, and status.

An efficient way to solve most problems associated with printing is to troubleshoot each component logically and methodically.

Identify the Scope of Failure

If the user can print a job from another application on his or her computer, the error is most likely related to the failed job’s application, rather than with the computer, the network, the print server, or the printer hardware. However, in some cases, using a dif­ferent driver or data type can solve an application’s print errors.

If the user cannot print to the printer from any application, identify whether the user can print to other printers on the same print server, or on other print servers. If all pos­sibilities fail, and if other users can print to the printers on the network, the error is likely localized to the user’s computer.

Try creating a local printer on the problematic system that points directly to the printer’s port. In other words, bypass the printer server. If this process succeeds, there is a problem on the print server, with communication between the user’s system and the print server, or with the printer connections on the client.

Verify That the Print Client Can Connect to the Print Server

You can confirm connectivity between the print client and the print server by opening the printer window from the Printers And Faxes folder on the client computer. If the printer window opens, showing any documents in the printer queue, the client is successfully connecting to the shared printer. An error opening the printer window would indi­cate a potential networking, authentication, or security permissions problem. Attempt to ping the print server’s IP address. Click Start, choose Run, and type \\printserver. If the window opens showing the Printers And Faxes folder and any shared folders, the client is connecting to the server. Double-check security permissions on the logical printer.

Verify That the Printer Is Operational

Check the printer itself and ensure that it is in the ready state (ready to print). Print a test page from the printer console. Check the cable connecting the printer to the print server or the network. If the printer is network attached, confirm that the network interface card light is on, indicating network connectivity.

Verify That the Printer Can Be Accessed from the Print Server

Most printers can display their IP address on the printer console or by printing out a configuration page. Confirm that the printer’s IP address matches the IP address of the logical printer’s port. The port’s IP address can be seen in the printer’s Properties dialog box on the Ports tab. Ensure that it is possible to communicate with the printer over the network by pinging the printer’s IP address.

Verify That the Print Server’s Services Are Running

Using the Services MMC, check that services required for the printer are working prop­erly. For example, confirm that the remote procedure call (RPC) service is running on the print server. RPC is required for standard network connections to shared printers. Confirm also that the print spooler service is running on the print server. 

You can also examine the volume on which the spool folder is stored to ensure that there is sufficient disk space for spooling. The spool folder location can be discovered and modified in the Server Properties dialog box, which you can access by choosing Server Properties from the File menu of the Printers And Faxes folder.

You should also look at the System log to see if the spooler has registered any error events, and, in the Printers And Faxes Folder, make sure that the printer is not in Offline mode.

Attempt to print a job from an application on the print server. If you can print to the printer from the print server, the problem is not with the printer. If you cannot print to the printer from an application on the print server, create a new printer directed at the same port and attempt to print to the new printer. If that job succeeds, there is a prob­lem in the configuration of the original logical printer. If that job is unsuccessful, there is a problem communicating with the printer, or with the hardware itself. 

Advanced Printer Configuration and Management

In the above topic (installing and configuring Printer) , you learned that the Windows printer model is best leveraged when a logical printer is created to support a physical device either directly attached to the computer or attached to the network and when that logical printer is shared to printer clients. That logical printer on the print server becomes a central point of con-figuration and management. The drivers that you install on the printer are downloaded automatically by Windows clients, and the settings you configure for the printer are distributed as the settings for each of the printer’s clients.

This Topic takes this virtualization of printers as logical devices to the next level. After examining printer properties, including printer security, you will learn how to create printer pools to provide faster turnaround for client print jobs. You will also learn how to make better use of your printers by creating more than one logical printer for a device to configure, manage, or monitor print jobs or printer usage more effectively. Finally, you will learn how to manage Active Directory printer objects and Internet printing.

Managing Printer Properties

Printers and print jobs are managed from their properties dialog boxes. These properties dialog boxes can be accessed from the Printers And Faxes folder. Right-click a printer and select Properties to configure a printer. Double-click a printer and, in the print queue, right-click a print job and choose Properties to configure a print job. The initial properties of a print job are inherited from the properties of the printer itself. But a print job’s default properties can be modified independently of the printer’s.

Controlling Printer Security

Windows Server 2003 allows you to control printer usage and administration by assign­ing permissions through the Security tab of the printer’s Properties dialog box. You can assign permissions to control who can use a printer and who can administer the printer or documents processed by the printer. A typical printer Security tab of a printer’s Properties dialog box is shown in Below Figure.

You can use a printer’s access control list (ACL) to restrict usage of a printer and to delegate administration of a printer to users who are not otherwise administrators. Windows Server 2003 provides three levels of printer permissions: Print, Manage Print­ers, and Manage Documents.

By default, the Print permission is assigned to the Everyone group. Choosing this permission allows all users to send documents to the printer. To restrict printer usage, remove this permission and assign Allow Print permission to other groups or individual users. Alternatively, you can deny Print permission to groups or users. As with file sys­tem ACLs, denied permissions override allowed permissions. Also, like file system ACLs, it is best practice to restrict access by assigning allow permissions to a more restricted group of users rather than granting permissions to a broader group and then having to manage access by assigning additional deny permissions.

The Manage Documents permission provides the ability to cancel, pause, resume, or restart a print job. The Creator Owner group is allowed Manage Documents permis­sion. Because a permission assigned to Creator Owner is inherited by the user that cre­ates an object, this permission enables a user to cancel, pause, resume, or restart a print job that he or she has created. The Administrators, Print Operators and Server Operators groups are also allowed the Manage Documents permission, which means they can cancel, pause, resume, or restart any document in the print queue. Those three groups are also assigned the Allow Manage Printers permission, which enables them to modify printer settings and configuration, including the ACL itself.

Assigning Forms to Paper Trays

If a print device has multiple trays that regularly hold different paper sizes, you can assign a form to a specific tray. A form defines a paper size. When users print a docu­ment of a particular paper size, Windows Server 2003 automatically routes the print job to the paper tray that holds the correct form. Examples of forms include Legal, Letter, A4, Envelope, and Executive.

To assign a form to a paper tray, select the Device Settings tab of the printer’s Proper-ties dialog box, as shown in Below Figure. The number of trays shown in the Form To Tray Assignment section obviously depends on the type of printer you have installed, and the number of trays it supports. Further down the Device Settings tree are settings to indicate the installation state of printer options, such as additional paper trays, paper handling units, fonts, and printer memory.

Print Job Defaults

The General tab of the printer’s Properties dialog box includes a Printing Preferences button, and the Advanced tab includes a Printing Defaults button. Both of these buttons display a dialog box that lets you control the manner in which jobs are printed by the logical printer, including page orientation (portrait or landscape), double-sided

printing (if supported), paper source, resolution, and other document settings. These dialog boxes are identical to each other, and are also identical to the dialog box a user receives when clicking Properties in a Print dialog box.

Why are there three print job Properties dialog boxes? The Printing Defaults dialog box configures default settings for all users of the logical printer. If the printer is shared, its printing defaults become the default properties for all printers connected from clients to the shared printer. The Printing Preferences dialog box configures the user-specific, personal preferences for a printer. Any settings in the Printing Preferences dialog box override printing defaults. The Properties dialog box that can be accessed by clicking Properties in a Print dialog box configures the properties for the specific job that is printed. Those properties will override both printing defaults and printing preferences. This triad of print job property sets allows administrators to configure a printer cen­trally, by setting printing defaults on the shared logical printer, and allows flexibility and decentralized configuration by users or on a document-by-document basis.

Printer Schedule

The Advanced tab of a printer’s Properties dialog box, as shown in Below Figure, allows you to configure numerous additional settings that drive the behavior of the logical printer, its print processor and spool. Among the more useful and interesting setting is printer’s schedule.

The logical printer’s schedule determines when a job is released from the spool, or queue, and sent to the printer itself. A user with Allow Print permission can send a job to the printer at any time, but the job will be held until the printer’s schedule allows it to be directed to the printer’s port. Such a configuration is not appropriate for normal, day-to-day printers. However a schedule is invaluable for situations in which users are printing large jobs, and you want those jobs to print after hours, or during periods of low use. By configuring a printer’s schedule to be available during night hours, users can send the job to the printer during the day, the printer will complete the jobs over-night, and the users can pick up those printing jobs the next morning.

Setting Up a Printer Pool

A printer pool is one logical printer that supports multiple physical printers, either attached to the server, attached to the network, or a combination thereof. When you create a printer pool, users’ documents are sent to the first available printer—the logi­cal printer representing the pool automatically checks for an available port.

Printer pooling is configured from the Ports tab of the printer’s Properties dialog box. To set up printer pooling, select the Enable Printer Pooling check box, and then select or add the ports containing print devices that will be part of the pool. Below Figure  shows a printer pool connected to three network-attached printers.

Configuring Multiple Logical Printers for a Single Printer

Although a printer pool is a single logical printer that supports multiple ports, or print­ers, the reverse structure is more common and more powerful: multiple logical printers supporting a single port, or printer. By creating more than one logical printer directing jobs to the same physical printer, you can configure different properties, printing defaults, security settings, auditing, and monitoring for each logical printer.

For example, you might want to allow executives at MCSEWEB Ltd. to print jobs imme­diately, bypassing documents that are being printed by other users. To do so, you can create a second logical printer directing to the same port (the same physical printer) as the other users, but with a higher priority.

Use the Add Printer Wizard to generate an additional logical printer. To achieve a mul­tiple logical printer-single port structure, additional printers use the same port as an existing logical printer. The printer name and share name are unique. After the new printer has been added, open its properties and configure the drivers, ACL, printing defaults, and other settings of the new logical printer.

To configure high priority for the new logical printer, click the Advanced tab and set the priority, in the range of 1 (lowest) to 99 (highest). Assuming that you assigned 99 to the executives’ logical printer, and 1 to the printer used by all users, documents sent to the executives’ printer will print before documents queued in the users’ printer. An executive’s document will not interrupt a user’s print job. However, when the printer is free, it will accept jobs from the higher-priority printer before accepting jobs from the lower-priority printer. To prevent users from printing to the executives’ printer, config­ure its ACL and remove the print permission assigned to the Everyone group, and instead allow only the executives’ security group print permission.

Windows Server 2003 Printer Integration with Active Directory

The print subsystem of Windows Server 2003 is tightly integrated with Active Directory, making it easy for users and administrators to search for and connect to printers throughout an enterprise. All required interaction between printers and Active Direc­tory is configured, by default, to work without administrative intervention. You only need to make changes if the default behavior is not acceptable.

When a logical printer is added to a Windows Server 2003 print server, the printer is automatically published to Active Directory. The print server creates a print Queue object and populates its properties based on the driver and settings of the logical printer.

When any change occurs in the printer’s configuration, the Active Directory printer object is updated. All the configuration information is sent again to the Active Directory store even if some of it has remained unchanged.

If a print server disappears from the network, its printer object is removed from the Active Directory. The printer Pruner service confirms the existence of shared printers represented in Active Directory by contacting the shared printer every eight hours. A printer object will be pruned if the service is unable to contact the printer two times in a row. This might occur if a print server is taken offline. It will happen regularly if print­ers are shared on Windows 2000 or Windows XP workstations that are shut off over-night or on weekends. However, a print server will recreate the printer objects for its printers when the machine starts, or when the spooler service is restarted. So, again, administrative intervention is not required.

Publishing Windows Printers

Printers that are added by using the Add Printer Wizard are published by default. The Add Printer Wizard does not allow you to prevent the printer from being published to the Active Directory service when you install or add a printer.

If you want to re-publish a printer (for example, after updating its name or other prop­erties), or if you do not want a shared printer published in Active Directory, open the printer’s Properties dialog box, click the Sharing tab, and select or clear the List In The Directory check box.

Logical printers that are shared on computers running Windows NT 4 or Windows NT 3.51 are not published automatically, but can be manually published using the Active Directory Users And Computers MMC console. Simply right-click the OU or other con­tainer in which you want to create the printer and choose New Printer.

Manually Configuring Printer Publishing Behavior

All the default system behaviors described above can be modified using local or group policy. Printer policies are located in the Computer Configuration node, under Admin­istrative Templates. For a description of each of these policies, open the Properties dia­log box for a specific policy and click the Explain tab.

Printer Location Tracking

Printer location tracking is a feature, disabled by default, that significantly eases a user’s search for a printer in a large enterprise by pre-populating the Location box of the Find Printers dialog box, so that the result set will automatically be filtered to list printers in geographic proximity to the user.

To prepare for printer location tracking, you must have one or more sites or one or more subnets. Site and subnet objects are created and maintained using the Active Directory Sites And Services MMC snap-in or console. You must also configure the Location tab of the site or subnet Properties dialog box using a naming convention that creates a hierarchy of locations, separated by slashes. For example, the location USA/ NYC/1802Americas/42/B might refer to a building at 1802 Avenue of the Americas in Manhattan, on the 42nd floor in Area B. A location may span more than one subnet, or more than one site.

You must then enable printer location tracking using the Pre-Populate Printer Search Location Text policy.

Active Directory is able to identify a computer’s site or subnet affiliation based on the computer’s IP address. When the Find Printers dialog box is invoked, the computer’s location, as defined in its corresponding site or subnet object, will be automatically placed in the Location box. A Browse button will also appear, enabling a user to browse the location hierarchy for printers in other locations.

This powerful feature simplifies printer administration and setup considerably. How-ever, it obviously requires careful planning on the back end to ensure that all subnets are defined, and that a reasonable, hierarchical location naming convention has been applied consistently. More information about this feature is available in the online Help and Support Center.

Internet Printing

Windows Server 2003 supports an additional set of functionality through the Internet Printing Protocol (IPP), which enables users to connect to printers and send print jobs over encapsulated Hypertext Transfer Protocol (HTTP). Internet printing also gives administrators the option to manage and configure printers using any variety of Inter-net browsers and platforms.

Setting Up Internet Printing

Internet printing is not installed or enabled by default in Windows Server 2003. You must install Internet Information Services (IIS). Internet printing is available for installation when you install IIS. To install Internet printing, perform the following steps:

1. Open Add/Remove Programs in Control Panel and click Add/Remove Windows Components.

2. Select Application Server and click Details.

3. Select Internet Information Services (IIS) and click Details.

4. Select Internet Printing.

Once IIS and Internet printing are installed, you can disable or enable the feature using the IIS snap-in or console. Expand the server’s node and click Web Service Extensions. In the details pane, select Internet Printing, and click Prohibit or Allow.

Internet printing creates a Printers virtual directory under the Default Web site. This vir­tual directory points to %Systemroot%\Web\Printers. The printer site is accessed using Microsoft Internet Explorer 4.01 and later by typing the address of the print server in the Address box followed by the Printers virtual directory name. For example, to access the Internet printing page for Server, type http://Server/printers/.

Using and Managing Internet Printers

You can connect to http://printserver/printers to view all printers on the print server. After locating the desired printer and clicking it, a Web page for that printer is displayed.

As a shortcut, if you know the exact name of the printer to which you want to connect, type the address of the printer using the following format:

http://printserver/printersharename/

Once the printer’s Web page is displayed, you can connect to or manage the printer, assuming you have been allowed appropriate security permissions. When you click Connect on the printer’s Web page, the server generates a .cab file that contains the appropriate printer driver files and downloads the .cab file to the client computer. The printer that is installed is displayed in the Printers folder on the client. The printer can then be used and managed from the Printers And Faxes folder like any other printer. Using a Web browser to manage printers has several advantages:

■It allows you to administer printers from any computer running a Web browser, regardless of whether the computer is running Windows Server 2003 or has the correct printer drivers installed.

■It allows you to customize the interface. For example, you can create your own Web page containing a floor plan with the locations of the printers and the links to the printers.

■It provides a summary page listing the status of all printers on a print server.

■Internet printing can report real-time print device data, such as whether the print device is in power-saving mode, if the printer driver makes such information avail-able. This information is not available from the Printers And Faxes window.