Enable Hybrid AD/AAD Environment on Universal Print
Applies To: Windows Server 2016
This information is intended to help you decide whether enabling hybrid AD configuration is the right choice for your organization.
What is a hybrid AD configuration?
A hybrid AD configuration is a setup where the organization uses both AD as well as Azure AD. In such an environment, a user account exists in both of these directory services.
What does “Enable hybrid AD configuration” mean?
The Universal Print connector runs as Windows service on the PC where it is installed. One of the connector functions is to retrieve print jobs from Universal Print and send them to the target printer. The connector uses the “System” account to submit print jobs to the spooler. Therefore, although the Universal Print portal will show the Azure AD username who submitted a print job, every print job printed using Universal Print will show up in the Windows printer queue on the connector as submitted by the user “System”.
Some legacy print management applications, that rely on Active Directory domains, read the username from the spooler queue and use that information to perform some function (e.g. deduct the print job from a user’s monthly printing quota). Until these applications are updated to work more seamlessly with Universal Print, they will not be able to obtain the identity of the user who originated a print job.
When the “Enable hybrid AD configuration” option is turned on in the Universal Print connector, the connector attempts to map the Azure AD user identity to a corresponding local AD domain user identity. If a matching identity is found, the connector service then impersonates that user’s domain identity before submitting the print job to the spooler on their behalf. In that case, the domain username of the user who originated the print job will show up in the spooler queue on the connector PC allowing legacy applications to read it.
There are a number of subscriptions, services and computers you'll need to acquire before starting this installation. They are as follows:
Azure AD premium subscription.
See Get started with an Azure subscription for a trial subscription to Azure.
MDM service, such as Intune.
See Microsoft Intune for a trial subscription to Intune.
Windows Server 2016 or later machine running Active Directory.
See Step-By-Step: Setting up Active Directory in Windows Server 2016 for help setting up Active Directory.
A dedicated, domain-joined Windows Server 2016 or later machine running as Print Server and a Connector Server.
See Understand Azure AD Application Proxy connectors for more information.
Public facing domain name.
You can use the domain name created for you by Azure (domainname.onmicrosoft.com), or purchase your own domain name. See Add your custom domain name using the Azure Active Directory portal.
The steps below would enable you to setup a typical Universal Print deployment required for enabling Hybrid AD/AAD Environment.
Step 1 - Install Azure AD Connect
- Azure AD connect synchronizes Azure AD to on-premises AD. On the Windows Server machine with Active Directory, download and install the Azure AD Connect software with express settings. See Getting started with Azure AD Connect using express settings.
Step 2 - Install Application Proxy
Note: Skip this step if the print server is already AzureAD joined.
Application proxy allows users in your organization to access on-premise applications from the cloud. Install Application Proxy on the Connector Server.
- For installation instruction, see Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory.
- A dedicated connector group is recommended if the organization has complex network topology. See Publish applications on separate networks and locations using connector groups.
Step 3 - Setup the Print Server
Make sure the Print Server has all the available Windows Update installed (Update the server before proceeding ahead).
Note: Server 2019 must be patched to build 17763.165 or later.
On the Windows Server machine which acts as a print server, we would need to install the Print Server Role.
- See Install roles, role services, and features by using the add Roles and Features Wizard for details on how to install server roles.
To ensure that the local AD maps with the AAD accounts, the Windows Server that acts as Print Server must be Hybrid Joined/Azure Joined. See Universal Print Setup to ensure that all the steps are completed. In short,
Step 4 - Setup Directory Sync of Local AD with Azure AD
The users or groups must exist in on-premises Active Directory and synchronized with Azure AD. If the solution is deployed to a non-routable domain (e.g. mydomain.local), the Azure AD domain (e.g. domainname.onmicrosoft.com, or one purchased from third-party vendor) needs to be added as a UPN suffix to on-premises Active Directory. This is so the exact same user who will be publishing printers (e.g. firstname.lastname@example.org). See Prepare a non-routable domain for directory synchronization to ensure the local domain is added and synced.
Note: This is an important step as it is the basic requirement for a complete setup. The local AD user must have same username on the synced AAD account.
Example: domain/user1 should translate to user1@AADDomain.com
Once the sync takes place (default synchronization frequency is 30 minutes), you can verify the AD users are synced on the administrative portal. Under Azure Active Directory, select the users tab and a list of all users would appear. It would be easy to verify if a user is directory synced in that list. Details of a user should show that the source is Windows Server AD.
Step 5 - Enabling the hybrid AD/AAD support on Universal Print Connector
On the Print Server where the connector is installed, there must be a toggle button on the top right corner of the application.
- Select the on radio button for Enable hybrid AD configuration option on the connector.
Verify the deployment
Verifying that the deployment would be by sending a test print job to the Print server using your AAD credentials on a AD joined client machine.
The machine must be AAD joined with the same account that it is linked with during the sync step. Go to Settings > Accounts > Email & Accounts. Click on Add a work or school account and login using the credentials to add the AAD account to the client machine.
Steps to submit a test print to verify the deployment are below:
- Add a printer and print a test page
- Once you notice a print job queued in the print queue, the print server under the folder C:/prints should have a test print file appear in the name printerName.pdf.
- If this file appears, you can check if the mapping has successfully occurred by checking the event logs in the path mentioned in the Troubleshooting section for Print Server logs.
Below are common issues encountered during deployment:
|The request to add or remove features on the specified server failed||Ensure Windows Server has the latest update by checking for updates on the server.|
|Check if server is Domain and Azure joined||Run dsregcmd on command prompt and check if AzureADJoined and DomainJoined are set to "YES" state.|
|Print jobs stay in Sent to printer state|
|Print jobs show as "Aborted" in the portal. Print Connector event log shows Event 27 "Failed to impersonate <user> for job <id>, followed by Event 9 "PrintJob failed System.Security.SecurityException: The user name or password is incorrect...".||Check that the computer account is a member of the "Windows Authorization Access Group" as described here - Apps and APIs require access.|
For more trouble shooting help related to Universal Print, see Universal Print troubleshooting guide.
Below are locations of logs that can help troubleshooting:
|Windows 10 Client|
|Print Server||Use Event Viewer to see log of Print Connector. Click on Start and type Event Viewer. Navigate to Applications and Services Logs > Microsoft > Windows > PrintConnector > Operational.|