Event ID 72 — Print Processor Availability

Event ID 72 — Print Processor Availability

Updated: November 30, 2007

Applies To: Windows Server 2008

Print processors are user-mode dynamic link libraries (DLLs) that are responsible for converting a print job’s spooled data into a format that can be sent to a print monitor. They are also responsible for handling application requests to pause, resume, and cancel print jobs.

Event Details

Product: Windows Operating System
ID: 72
Source: Microsoft-Windows-PrintSpooler
Version: 6.0
Symbolic Name: MSG_NO_PRINT_PROC_FOUND_FOR_PRINTER
Message: Windows could not initialize printer %1 because the print processor %2 could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.

Resolve
Install the Printer Driver

To resolve this error, do the following:

  1. Obtain an updated driver (that displays the Designed for Windows logo) from the printer manufacturer for the specific model of printer.
  2. Delete any printers on the print server that use the original driver for the printer that is experiencing problems.
  3. If you are using Print Management, remove the printer driver and driver package using the following procedure:
    1. Open Print Management from the Administrative Tools folder, select the appropriate server and then click Drivers.
    2. Right-click the driver for the printer that is not working, and then click Remove driver package.
  4. If you do not have Print Management on the computer, use the following procedure to remove the printer driver package:
    1. Open Printers in Control Panel, right-click a blank area, click Run as administrator, click Server Properties, and then click the Drivers tab.
    2. Select the printer driver, click Remove, click Remove driver and driver package, and then click OK.
  5. Install the new printer driver, and then recreate the printer and settings.
  6. After Windows finishes reinstalling the driver, print the document again.

Verify

To verify that you resolved the problem:

  1. Print the document again.
  2. Open the print queue on the server, and then verify that its status Online and that print jobs are printing properly.
  3. If the print server logs spooler information events, look for Print Spooler Event 10 after printing, and then examine the document to confirm that it printed correctly.

Related Management Information

Print Processor Availability

Printing Infrastructure

Related:

Event ID 71 — Terminal Services License Server Security Group Configuration

Event ID 71 — Terminal Services License Server Security Group Configuration

Updated: January 5, 2012

Applies To: Windows Server 2008

When the TS Licensing role service is installed on the server, the Terminal Server Computers local group is created. The license server will respond only to requests for TS CALs from terminal servers whose computer accounts are members of this group if the Computer Configuration\Administrative Templates\Windows Components\Terminal Services\TS Licensing\License server security group Group Policy setting has been enabled and applied to the license server. By default, the Terminal Server Computers local group is empty.

When the TS Licensing role service is removed from the server, the Terminal Server Computers local group is deleted.

Event Details

Product: Windows Operating System
ID: 71
Source: Microsoft-Windows-TerminalServices-Licensing
Version: 6.0
Symbolic Name: TLS_E_LS_CREATE_LOCALGROUP
Message: The Terminal Server Computers local group cannot be created.Win32 error code: %1!s!

Resolve
Create the Terminal Server Computers local group on the license server

To resolve this issue, create the Terminal Server Computers local group on the Terminal Services license server.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To create the Terminal Server Computers group:

  1. On the license server, open the Local Users and Groups snap-in. To open Local Users and Groups, click Start, click Run, type lusrmgr.msc, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, right-click Groups, and then click New Group.
  4. In Group name, type Terminal Server Computers, click Create, and then click Close.

Note:  If the license server is installed on an Active Directory Domain Services (AD DS) domain controller, use the Active Directory Users and Computers snap-in to create the Terminal Server Computers group. To create the Terminal Server Computers group on a domain controller, you must have membership in the Domain Admins group in AD DS, or you must have been delegated the appropriate authority. To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.

Verify

To verify that the Terminal Server Computers local group is correctly configured on the license server, use the Local Users and Groups snap-in.

Note:  If the license server is installed on an Active Directory Domain Services (AD DS) domain controller, use the Active Directory Users and Computers snap-in to verify that the Terminal Server Computers group is properly configured. To use Active Directory Users and Computers on a domain controller, you must have membership in the Domain Admins group in AD DS, or you must have been delegated the appropriate authority. To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the Terminal Server Computers group is properly configured:

  1. On the license server, open the Local Users and Groups snap-in. To open Local Users and Groups, click Start, click Run, type lusrmgr.msc, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click Groups.
  4. In the right pane, the Terminal Server Computers group should be listed. If the License Server security group Group Policy setting is enabled for the license server, the group should contain a list of computer accounts for terminal servers.

Note:  If the TS Licensing role service has been removed from the server, the Terminal Server Computers local group should not be listed.

Related Management Information

Terminal Services License Server Security Group Configuration

Terminal Services

Related:

Event ID 70 — Terminal Services License Server Security Group Configuration

Event ID 70 — Terminal Services License Server Security Group Configuration

Updated: January 5, 2012

Applies To: Windows Server 2008

When the TS Licensing role service is installed on the server, the Terminal Server Computers local group is created. The license server will respond only to requests for TS CALs from terminal servers whose computer accounts are members of this group if the Computer Configuration\Administrative Templates\Windows Components\Terminal Services\TS Licensing\License server security group Group Policy setting has been enabled and applied to the license server. By default, the Terminal Server Computers local group is empty.

When the TS Licensing role service is removed from the server, the Terminal Server Computers local group is deleted.

Event Details

Product: Windows Operating System
ID: 70
Source: Microsoft-Windows-TerminalServices-Licensing
Version: 6.0
Symbolic Name: TLS_I_LS_CREATE_LOCALGROUP
Message: The Terminal Server Computers local group has been created.

Resolve

This is a normal condition. No further action is required.

Related Management Information

Terminal Services License Server Security Group Configuration

Terminal Services

Related:

Event ID 69 — NLB General Functionality

Event ID 69 — NLB General Functionality

Updated: November 13, 2007

Applies To: Windows Server 2008

General Functionality provides information about whether the hosts are functioning properly, such as when a new host has started load balancing traffic, when an inactive host has suspended cluster operations, and when NLB cluster is initiating convergence because a new host is joining the cluster.

Event Details

Product: Windows Operating System
ID: 69
Source: Microsoft-Windows-NLB
Version: 6.0
Symbolic Name: MSG_INFO_CONVERGING_MEMBER_LOST
Message: NLB cluster [%2]: NLB is initiating convergence on host %5 because host %6 is leaving the cluster.

Resolve

This is a normal condition. No further action is required.

Related Management Information

NLB General Functionality

NLB Cluster

Related:

Event ID 68 — Print Spooler Status

Event ID 68 — Print Spooler Status

Updated: November 30, 2007

Applies To: Windows Server 2008

Print Server Status controls basic operations such as initializing the spooler, creating threads, and reading the registry.

Event Details

Product: Windows Operating System
ID: 68
Source: Microsoft-Windows-PrintSpooler
Version: 6.0
Symbolic Name: MSG_SPOOLER_CREATION_FAILED
Message: The print spooler %1 failed to start. To determine the cause of this error, examine the preceding events in the Event Log.

Resolve
Restart the server or troubleshoot hardware problems

Determine whether the computer is low on system resources such as CPU resources, disk I/O performance, or memory. To identify what is causing the system to be low on resources, you can generate a System Diagnostics Report by using Reliability and Performance Monitor.

To perform this procedures, you must be a member of the local Administrators group on the affected computer, or you must have been delegated the appropriate authority.

To collect system information for 60 seconds and generate a System Diagnostics Report:

  1. Open an elevated Command Prompt window. (Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.)
  2. At the command prompt, type perfmon /report and then press ENTER. Reliability and Performance Monitor will start collecting data to create the System Diagnostics Report.
  3. When the report is ready for viewing, locate the Diagnostic Results section of the report and then check for any warnings (indicated by Warning in the report). You can follow links to additional help on resolving warnings from this section. In addition, you can expand each category in the Basic System Checks section to see more details about why warnings appear. Also, the Performance section provides process-level details about top consumers of resources.

If you cannot resolve the issue after reviewing the recommendations of the System Diagnostics Report, possible resolutions include:

  • Notify users, and then restart the print server.
  • Use hardware diagnostic utilities to troubleshoot potential hardware issues.
  • Restore the print server from a stable backup.

Verify

Perform the following tasks to verify that you resolved the problem:

  • Print the document again.
  • If the print server logs spooler information events, look for Print Spooler Event 10 after printing, and then examine the document to confirm that it printed correctly.

Related Management Information

Print Spooler Status

Printing Infrastructure

Related:

Event ID 66 — Remote Desktop License Server Discovery

Event ID 66 — Remote Desktop License Server Discovery

Published: January 8, 2010

Applies To: Windows Server 2008 R2

Remote Desktop license server discovery is the process by which a Remote Desktop Session Host (RD Session Host) server contacts an available license server to request Remote Desktop Services client access licenses (RDS CALs) for the clients that are connecting remotely to the RD Session Host server. If the RD Session Host server cannot discover a license server, client connections may fail.

The recommended discovery scope for a license server is forest discovery scope. If you configure forest discovery scope, RD Session Host servers, without any additional configuration, can automatically discover a license server in the same forest, because the license server is published in Active Directory Domain Services. To configure forest discovery scope, you must be logged on as an enterprise administrator to the forest in which the license server is a member.

Event Details

Product: Windows Operating System
ID: 66
Source: Microsoft-Windows-TerminalServices-Licensing
Version: 6.1
Symbolic Name: TLS_I_LS_UNPUBLISHED
Message: The Remote Desktop license server has been unpublished from Active Directory Domain Services.

Resolve

This is a normal condition. No further action is required.

Related Management Information

Remote Desktop License Server Discovery

Remote Desktop Services

Related:

Event ID 1058 — Group Policy Preprocessing (Networking)

Event ID 1058 — Group Policy Preprocessing (Networking)

Updated: September 21, 2007

Applies To: Windows Server 2008

Group Policy processing requires network connectivity to one or more domain controllers. The Group Policy service reads information from Active Directory and the sysvol share located on a domain controller. The absence of network connectivity prevents Group Policy from applying to the user or computer.

Event Details

Product: Windows Operating System
ID: 1058
Source: Microsoft-Windows-GroupPolicy
Version: 6.0
Symbolic Name: gpEvent_GPT_NOTACCESSIBLE
Message: The processing of Group Policy failed. Windows attempted to read the file %9 from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled.

Resolve
Correct connectivity to the Group Policy template

The Group Policy service logs the name of the domain controller and the error code. This information appears on the Details tab of the error message in Event Viewer. The error code (displayed as a decimal) and error description fields further identify the reason for the failure. Evaluate the error code with the list below:

  • Error code 3
  • Error code 5
  • Error code 53

Error code 3 (The system cannot find the path specified)

This error code usually indicates that the client computer cannot find the path specified in the event. 

This failure may be caused by the DFS Client not running. Refer to the Microsoft Knowledge Base article about how to resolve this failure (http://support.microsoft.com/kb/314494).

To test client connectivity to the domain controller’s sysvol:

  1. Identify the domain controller used by computer. The domain controller name is logged in the details of the error event.
  2. Identify if failure happened during user or computer processing. For user policy processing, the User field of the event will show a valid user name; for computer policy processing, the User field will show “SYSTEM”.
  3. Compose full network path to the gpt.ini as \\<dcName>\SYSVOL\<domain>\Policies\<guid>\gpt.ini where <dcName> is the name of the domain controller, <domain> is the name of the domain, and <guid> is the GUID of the policy folder. All of this information appears in the event.
  4. Verify you can read gpt.ini using the full network path obtained in the previous step. To do this, launch a command window and type <file_path>, where <file_path> is the path constructed in the previous step, and press ENTER. NOTE: You must launch this command as the user or computer whose credentials previously failed.
  5. Follow Network troubleshooting procedures to diagnose the problem further (http://go.microsoft.com/fwlink/?LinkId=92706).

Error code 5 (Access is denied)

This error code usually indicates that the user or computer does not have the appropriate permissions to access the path specified in the event.

On the domain controller: Ensure the the user and computer have appropriate permission to read the path specified in the event.

To test computer and user credentials:

  1. Log off and reboot the computer.
  2. Log on the computer with the domain credentials previously used.
  3. If the error still persists after verifying the permissions on the resource, then follow Network troubleshooting procedures to diagnose the problem further (http://go.microsoft.com/fwlink/?LinkId=92706).

Error code 53 (The network path was not found)

This error code usually indicates that the computer cannot resolve the name in the provided network path.

To test network path name resolution:

  1. Identify the domain controller used by the computer. The name of the domain controller is logged in the details of the error event.
  2. Try to connect to the netlogon share on the domain controller using the path \\<dcName>\netlogon where <dcName> is the name the name of the domain controller in the error event.
  3. If the error still persists, then follow Network troubleshooting procedures to diagnose the the problem further (http://go.microsoft.com/fwlink/?LinkId=92706).

Verify

Group Policy applies during computer startup and user logon. Afterward, Group Policy applies every 90 to 120 minutes. Events appearing in the event log may not reflect the most current state of Group Policy. Therefore, you should always refresh Group Policy to determine if Group Policy is working correctly.

To refresh Group Policy on a specific computer:

  1. Open the Start menu. Click All Programs and then click Accessories.
  2. Click Command Prompt.
  3. In the command prompt window, type gpupdate and then press ENTER.
  4. When the gpupdate command completes, open the Event Viewer.

Group Policy is working correctly if the last Group Policy event to appear in the System event log has one of the following event IDs:

  • 1500
  • 1501
  • 1502
  • 1503

Related Management Information

Group Policy Preprocessing (Networking)

Group Policy Infrastructure

Related:

Event ID 65 — Print Color Profile Configuration

Event ID 65 — Print Color Profile Configuration

Updated: November 30, 2007

Applies To: Windows Server 2008

Properly configuring the print color profile enables color printers to print colors that closely match the ones that are displayed on the screen.

Event Details

Product: Windows Operating System
ID: 65
Source: Microsoft-Windows-PrintSpooler
Version: 6.0
Symbolic Name: MSG_UPDATE_COLOR_PROFILE_FAILED
Message: Updating the color profile failed for printer %1 with Win32 error code %2. The colors printed may not be correctly matched to the colors in the document being printed.

Resolve
Manually install the color profile

To resolve this error, do the following:

  • Examine the Windows error listed in the event to determine the reason that Windows could not update the color profile.

    Note: For a complete list of Win32 error messages, see the Microsoft Developer Network (MSDN) Web site: (http://go.microsoft.com/fwlink/?LinkId=83027).

  • Manually install the appropriate color profile for the printer by using the Color Management tool in Control Panel.

Verify

To verify that the color profile for a particular printer is correct, use the Color Management tool in Control Panel.

Related Management Information

Print Color Profile Configuration

Printing Infrastructure

Related:

Event ID 66 — AD CS Certificate Revocation List (CRL) Publishing

Event ID 66 — AD CS Certificate Revocation List (CRL) Publishing

Updated: November 27, 2007

Applies To: Windows Server 2008

Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.

Event Details

Product: Windows Operating System
ID: 66
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_E_DELTA_CRL_PUBLICATION
Message: Active Directory Certificate Services could not publish a delta certificate revocation list (CRL) for key %1 to the following location: %2. %3.%5%6

Resolve
Enable AD CS to publish a certificate revocation list

Possible resolutions to this event log message include:

  • If the event log message specifies an Active Directory location that has been formatted as a Lightweight Directory Access Protocol (LDAP) address, confirm that the certification authority (CA) has Write permissions to this location. To do this, follow the procedure in the “Confirm Active Directory CRL distribution point permissions” section.
  • Check the access control list on any file locations referenced in the event log message to confirm that the CA computer has Write permissions to those locations. To do this, follow the procedure in the “Confirm CRL distribution point permissions” section.
  • Follow the procedure in the “Check network connectivity” section to check network connectivity between the CA and domain controller.
  • After any network or permissions problems have been resolved, use the procedure in the “Publish a new CRL” section to publish a new CRL.
  • If you still cannot publish a new CRL, confirm that the CRL distribution point is valid by following the procedure in the “Confirm the validity of configured CRL distribution points” section.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm Active Directory CRL distribution point permissions

To confirm Active Directory CRL distribution point permissions:

  1. On a computer that has Active Directory management tools installed, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
  2. On the View menu, click Show Services Node.
  3. Double-click Services, and double-click Public Key Services.
  4. Right-click AIA, and click Properties.
  5. Click the Security tab, and confirm that the CA has Write permission to this location.

Confirm file location CRL distribution point permissions

To confirm file location CRL distribution point permissions:

  1. Click Start, type the file share address that you are using to publish CRLs and press ENTER.
  2. Right-click the file share, and click Properties.
  3. Click the Security tab, and confirm that the CA has Write permission to this location.

Check network connectivity

To determine if there is a network connectivity problem between the CA and the domain controller:

  1. Open a command prompt window on the computer hosting the CA.
  2. Type ping <server_FQDN> and press ENTER, where server_FQDN is the fully qualified domain name (FQDN) of the domain controller. If you can connect to the domain controller, you will receive a reply similar to the following:

    Reply from IP_address: bytes=32 time=3ms TTL=59

    Reply from IP_address: bytes=32 time=20ms TTL=59

    Reply from IP_address: bytes=32 time=3ms TTL=59

    Reply from IP_address: bytes=32 time=6ms TTL=59 3.

  3. At the command prompt, type ping <IP_address>, where <IP_address> is the IP address of the domain controller, and then press ENTER.
  4. If you can successfully connect to the domain controller by IP address but not by FQDN, this indicates a possible issue with Domain Name System (DNS) host name resolution.
  5. If you cannot successfully connect to the domain controller by IP address, this indicates a possible issue with network connectivity. Check for and resolve any hardware problems, such as a malfunctioning network card or disconnected network cable, as well as any event log errors relating to firewall configuration Internet Protocol security (IPsec) configuration.

Publish a new CRL

To publish a new CRL by using the Certification Authority snap-in:

  1. Click Start, point to Administrative Tools, and click Certification Authority.
  2. Right-click Revoked Certificates, point to All Tasks, and then click Publish to publish the new CRL.

To publish a new CRL by using the Certutil command-line tool:

  1. Open a command prompt window.
  2. To publish CRLs to all configured CRL publishing locations, type certutil -CRL and press ENTER.
  3. To publish a CRL directly to an Active Directory location, type certutil -dspublish “<crlname.crl>” ldap:///CN=<CA name>,CN=<CA hostname>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<contoso>,DC=<com>?certificateRevocationList?base?objectClass=cRLDistributionPoint and press ENTER.

Replace crlname.crl with the name of your CRL file, CA name and CA hostname with your CA name and the name of the host on which that CA runs, and contoso and com with the namespace of your Active Directory domain.

Confirm the validity of configured CRL distribution points

To confirm the validity of configured CRL distribution points:

  1. Click Start, point to Administrative Tools, and click Certification Authority.
  2. Right-click the name of the CA, and click Properties.
  3. Click the Extensions tab. Note the CRL distribution point locations for which the Publish CRLs to this location check box is selected.

You can also determine the configured CRL distribution point URLs by opening a command prompt window on the CA and running the following command: certutil -getreg ca\crlpublicationurls.

Verify

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To confirm that certificate revocation list (CRL) publishing is working properly, perform the following procedure on a recently issued end-entity (user or computer) certificate:

  1. Open a command prompt window on a computer that is connected to the network.
  2. Type certutil -url <cert.cer> and press ENTER.

    Replace <cert.cer> with the name of a certificate file that you created by exporting a certificate using the Certificate Export Wizard.

  3. In the dialog box that appears, under Retrieve, click CRLs (from CDP), and click Retrieve.
  4. Confirm that the status of all retrieved CRL distribution points is listed as Verified.

Related Management Information

AD CS Certificate Revocation List (CRL) Publishing

Active Directory Certificate Services

Related:

Event ID 64 — AD CS Certification Authority Certificate and Chain Validation

Event ID 64 — AD CS Certification Authority Certificate and Chain Validation

Updated: July 8, 2009

Applies To: Windows Server 2008 R2

Chain or path validation is the process by which end-entity (user or computer) certificates and all certification authority (CA) certificates are processed hierarchically until the certificate chain terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. Active Directory Certificate Services (AD CS) startup can fail if there are problems with availability, validity, and chain validation for the CA certificate.

Event Details

Product: Windows Operating System
ID: 64
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Version: 6.1
Symbolic Name: EVENT_CERT_EXPIRING
Message: Certificate for %1 with Thumbprint %2 is about to expire or has already expired.

Resolve
Renew a CA certificate

A computer certificate on a managed computer, not a certification authority (CA), must be renewed when it passes 90 percent of its validity period or has expired. Because a successful renewal will generally be initiated before the certificate reaches 90 percent of its lifetime, this error indicates that there may be a problem automatically obtaining a new certificate via autoenrollment.

To perform this procedure, you must have membership in local Administrators or Users on the computer that logged the error, or you must have been delegated the appropriate authority.

To renew a CA certificate:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add. 
  4. Select the user or computer account that logged the error, and click Next.
  5. Click Finish, and then click OK. 
  6. In the console tree, click Certificates – Current User or Certificates (Local Computer), and then click Personal.
  7. In the console tree, double-click Certificates, double-click Personal, and then click Certificates.
  8. Locate the certificate with the thumbprint listed in the event log message.
  9. Right-click the certificate, and select one of the Renew Certificate options to start the Certificate Renewal Wizard and renew the CA certificate.

Verify

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To confirm that the certification authority (CA) certificate and chain are valid:

  1. On the computer hosting the CA, click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Click Computer account, and click Next.
  5. Click Finish, and then click OK.
  6. In the console tree, click Certificates (Local Computer), and then click Personal.
  7. Confirm that a CA certificate that has not expired exists in this store.
  8. Right-click this certificate and select Export to launch the Certificate Export Wizard.
  9. Export the certificate to a file named Cert.cer.
  10. Type Start, cmd and press ENTER.
  11. Type certutil -urlfetch -verify <cert.cer> and press ENTER.
  12. If no validation, chain building, or revocation checking errors are reported, the chain is valid.

Related Management Information

AD CS Certification Authority Certificate and Chain Validation

Active Directory Certificate Services

Related: