The Mess of Managing Printers through Group Policy

This is a subject I have written about numerous times before. Here are the previous articles:

• http://nzschooltech.blogspot.com/2009/01/mapping-printers-and-drives-through.html
• http://nzschooltech.blogspot.com/2008/08/pushing-printer-settings-to-client-pcs.html
• http://nzschooltech.blogspot.com/2008/02/using-loopback-policy-to-set-per.html

Here is a brief history of managed printer deployment options in Windows:

• Prior to Windows Server 2003 R2, administrators mass deployed printers to workstations using logon scripts (VBScript etc).
• WS2003 R2 introduced Print Management via Group Policy (PMCSnap). Using the Deploy Printers extensions to GP, and a client executable called PushPrinterConnections.exe (PPC), printers can now be specified in Group Policy and pushed out to XP and later Windows clients. This is supposed to work for both per-user and per-computer printers identically. In practice we have only made per-computer work reliably and find that the old printer connections are not always removed when the GPO is removed from the OU.
• WS2008/Vista introduced printer management via Group Policy Preference extensions. This works a little differently from Deploy Printers. Network shared printers can only be specified per-user (rather than per-computer) and on Vista and later clients, printer drivers are not automatically installed as they are on XP. Both XP and Vista require a Client Side Extension to be installed (distributed as a KB update) to process GPP settings. One nice little feature of GPP is to set a default printer. I am somewhat of the opinion that a mixture of PMCSnap and GPP might overcome the various issues, where a default printer absolutely must be settable.

So… we started using PMCSnap when we got our first 2003 R2 server. Then we started using GPP when we got our first Vista workstation. Now we have gone back to PMCSnap for post-XP clients so that their drivers are installed. We were only able to make PMCSnap work for per-computer and GPP is only really practical for per-user in its current form. To add further to this mish-mash, I decided to switch a select group of staff PCs running XP back to PMCSnap. Here I ran into yet another problem, different versions of PPC (PushPrinterConnections.exe). This is a client executable you deploy via startup or login script to process the Deploy Printer GPO settings. It is only required on XP or below. First time I tried it, I was using a Windows Server 2008 box to run GPMC. No problem, I thought, grab PPC from C:\Windows\System32 just like the documentation says. Version 6.0.something. But it didn’t work. Printers weren’t pushed. Try -the log parameter. GPResult tells me the policy was applied, but no log file so PPC hasn’t been run. Strange. After a lot of testing I decided to grab the WS2003 version of PPC from the R2 server that we still have (C:\Windows\PMCSnap). Version 5.2.something. Well to cut a long story short, it works. Just like that.

SMS Integris (Omnis) Compatibility on Windows Vista and Windows 7

My previous articles on this subject are published here and here. Our site experienced considerable difficulties in making School Management Systems’ Integris 6.90.xx function successfully on Windows Vista even though the vendor does not have a history of problems. The majority of difficulties to date are on 32 bit Vista systems. We do not have a 64 bit edition of Vista for testing. The Integris software is widely used in the UK and Australia by primary and secondary schools, as well as in New Zealand.

On Windows 7, 32 bit and 64 bit Hyper-V virtual machines as well as physical 64-bit installations have been used for testing. So far all problems were experienced only in virtual machines. Difficulties have not been found to date in the physical computers running the Windows 7 Release Candidate, all 64-bit. Our 64-bit VM has Windows 2000 compatibility mode set, but no compat settings have been needed on any physical x64 PCs. It is not necessary to set this application to be run as an administrator on physical x64 PCs, although it is recommended on Vista from our experience. After the compat settings were removed on the x64 VM, no problems have been experienced. Likewise there were no problems initially setting up Vista on a physical x86 computer, which was my own workstation. It was later x86 computers that had problems on Vista. The inconsistencies in problem occurrences on different machines cause me to consider that an update or service pack, or a particular application that a hardware vendor may be supplying, has caused the problems. The Hyper-V server has just been updated to WS2008 Service Pack 2.

The vendor has highlighted that the Omnis runtime 3.3.3.x is not certified by Tiger Logic for Windows 7. It would be therefore inadvisable for any school sysadmin to roll out Integris on Windows 7 site wide until RM-SMS have updated the runtime to a Windows 7 certified edition. There are two possible workarounds for sites that wish to push ahead with Windows 7 rollout:

• Using Windows XP Mode to run Integris. This has to be set up on each client machine, and it requires that the CPU supports Intel VT.
• Using a Terminal Server to run the Integris application for end users. This does not require individual configuration of clients, nor does it require clients to support Intel VT. We will be using this option at our site to allow for remote access to Integris with the secondary benefit of resolving the compatibility issues. We are assuming the 3.3.3.x runtime is Windows Server 2008 compatible as this is the environment that hosts our terminal server.

In the main, while XP Mode is a nice idea, the virtual machine has to be set up for each computer that it runs on. Moreover this requires a compatible CPU as the Windows 7 version of Virtual PC requires hardware virtualisation support. While AMD support VT on all of their non-Opteron CPUs, lower end Intel Pentiums typically omit it. I have the galling situation that all of our recent desktop purchases do not support VT because we did not know about this feature and its significance for future desktop OSs. I think that changing CPUs to get VT support is not worth the hassle for most of the PCs at our site which do not have it, compared to the TS option even though this requires CALs at additional cost. Those CALs have a dual function for enabling remote access and thus the cost is not wasted on physical machine resources that are irrelevant to remote access.

Ministry of Education renews Microsoft Schools Agreement for 2010-2012

The NZ Ministry of Education has renewed the Microsoft Schools Agreement for New Zealand schools for 2010-2012. Whilst I have yet to see the agreement, it continues the trend of these agreements and will provide welcome continuity for school administrators and IT staff. The new agreement provides effective transitions for most existing software packages whilst it also adds Windows 7 Enterprise Edition as a new operating system choice. As Windows XP support is phased out, schools will need to look hard at moving their Windows OS platform to Windows 7, preferably skipping over Vista due to the latter’s many problems which are experienced in domain type environments. Our site is a Windows site for the most part. This leverages the high cost benefit of Windows Server operating systems for managing Windows desktop OSs, the latter being effectively free under these deals except for the modest cost of lower end desktop OEM licenses on new PCs. Microsoft continues as a market leader in new emerging technologies such as virtualisation, in which the developments are likely to benefit education significantly.

I expect as Windows 7 becomes available it will start to be deployed to our staff computers next year and that the Ministry’s leased laptops will start to be delivered with it preinstalled, if not we will install our own house image, building on experience already gained with Vista. That has been a bit of a watershed, and I am still disappointed that Microsoft is not resolving the significant problems that Vista has had in terms of its speed and reliability. I will still have a PC running Windows Vista at my desk for some considerable time, years even, along with XP, because there are still some things out there that won’t run on 7 or have not yet been ported. Although, it is fair to say, with a Hyper-V server, I can run some of those things on an XP virtual machine (for example, the Remote Desktops MMC snap-in) to similar effect without the physical machine. Virtualisation continues to offer new opportunities, and schools such as ours could well extend the use of older PCs using Remote Desktop Services the way that it has traditionally been used in other institutions for years.

Exchange Management Console issue on Windows 7, and miscellaneous firewall errors sending mail on Exchange Server 2007

ISSUE: When you install Exchange Management Console for Exchange Server 2007 SP1 onto a desktop PC running Windows 7 RC or Windows 7 Gold, you may experience error messages when attempting to access the Client Access item of Server Configuration in the console tree. The messages received are similar to the following:

 

The following error(s) were reported while loading topology information:

Get-ActiveSyncVirtualDirectory
Failed
Error:
An error occurred while trying to access IIS (Internet Information Service) metabase. Make sure the Internet Information Service Manager component is installed and configured properly.
Unknown error (0x80005000)

Get-OabVirtualDirectory
Failed
Error:
An error occurred while trying to access IIS (Internet Information Service) metabase. Make sure the Internet Information Service Manager component is installed and configured properly.

Unknown error (0x80005000)

 

Get-OWAVirtualDirectory
Failed
Error:
An error occurred while trying to access IIS (Internet Information Service) metabase. Make sure the Internet Information Service Manager component is installed and configured properly.

Unknown error (0x80005000)

Note: Get-ActiveSyncVirtualDirectory, Get-OabVirtualDirectory and Get-OWAVirtualDirectory are all the names of Powershell cmdlets for Exchange Server 2007. This implies the same errors will be encountered if using these cmdlets in Exchange Management Shell as well.

CAUSE: The IIS management console is not enabled on the client machine.

FIX: To correct this problem, open Programs and Features in the Control Panel. Select to “Turn Windows features on or off”. In the tree expand “Internet Information Services”, then “Web Management Tools”. Check “IIS Management Console”. Click OK. Close and restart EMC or EMS.

REFERENCES:

http://social.technet.microsoft.com/Forums/en-US/exchangesvrtransport/thread/82e1587f-51bd-4839-8867-0ae904670e2d

 

ISSUE: When sending mail to some addresses using Exchange Server 2007 SP1, you may experience occasional errors similar to the following. You are using a Smarthost send connector to send this mail, and there is a Cisco firewall between your exchange server and the external server specified in the Smarthost send connector settings.

Delivery has failed to these recipients or distribution lists:

Xxx Yyy
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: <remote SMTP server FQDN>

  _____ 

Sent by Microsoft Exchange Server 2007

Diagnostic information for administrators:

Generating server: <local Exchange server FQDN>

xxx.yyy@domain
<remote SMTP server FQDN> #500 Firewall Error ##

CAUSE: The Cisco firewall has a configuration entry like the following (it may have additional parameters specified after <inspection-list-name> in addition to esmtp):

ip inspect name <inspection-list-name> esmtp

This problem occurs because of incompatibilities or restrictions caused by the Cisco firewall configuration. It is more likely to occur if you are sending an email to multiple recipients or using a distribution list in Exchange.

FIX: Disable this entry in the Cisco firewall configuration by inserting the word “no” at the beginning of the line as shown, so that it should now read something like

no ip inspect name <inspection-list-name> esmtp

REFERENCES:

• http://www.solutions.pro/email-server-generates-500-firewall-error-error-8/
• http://social.technet.microsoft.com/Forums/en-US/exchangesvrtransport/thread/33100b4e-51d5-4a78-8bdd-2632513ae7cc
• http://mattlog.net/2008/12/31/exchange-2007-500-firewall-error/
• http://social.technet.microsoft.com/Forums/en-US/exchangesvrtransport/thread/b3e94524-56d5-4848-842b-83a97fe0c46c (Exchange 2003 specific)
• http://support.microsoft.com/kb/919091 (Exchange 2003 specific)