none
Provide Administrator Credentials to get CALs

    Question

  • Hi

    We have 2 domains (two-way trust). The license server (domain b) has been added to the "Terminal Service License servers" group on both domains. And the Server 2008 clients are members in the license server  "Terminal Server Computers" group. So the clients should be getting CALs (per user configured on both the license server and the clients).

    The problem is that the clients in Domain a don't receive any CAL's from the license server. Unless we provide administration credentials (for the license server) in the "Licensing Diagnosis" tool. Then we get all the available CALs. This is also the suggested resolution by the Licensing Diagnostics....  this fix the problem but leaves me with no idea on what was wrong. We don't find any related errors in the event viewer either.

    And it's obvious that we cannot give administrative rights to the license server. So this is no solution. How can domain a user get per user cals from domain b?

    Any ideas?

    Kind Regards

    /sesun

     

    Tuesday, February 01, 2011 12:27 PM

Answers

  • Hi,

    On your RD/TS Licensing server, please check for event id 4105 warnings with source TerminalServices-Licensing.  If your RD/TS Licensing server is on a DC please make the network service account a member of the Terminal Server License Servers Group in both domains as well.  Restart the RD/TS Licensing service.

    If there are 4105 warnings, please check if they are only regarding users from domain A or both domain A and domain B.  It would not surprise me if there are some from domain B included.

    Please run a Per User CAL Usage Report on your RD/TS Licensing server, then right-click on the generated report and save it as a csv file.  Are any of the users from domain A listed in the csv file?

    Is your AD schema 2003 or have you updated it to 2008?  Below are instructions to correct the 4105 warnings (which when fixed will allow Per User CALs to be tracked).  They are for a 2008 schema being updated from a 2008 DC:

    1. Logon to your 2008 domain A DC as an administrator
    2. Start--Run--adsiedit.msc
    3. In the left pane, navigate to where the OU for your domain A users is located
    4. In the left pane, right-click on CN=<Your OU> and choose Properties
    5. On the Security tab, click the Advanced button
    6. Click the Locations button and select your domain B and click OK (enter creds as needed)
    7. Click the Add button, type Terminal Server License Servers and click OK
    8. On the Properties tab, select Descendant User objects in the Apply onto box
    9. In the Permissions box, select Allow for all of the following:

    Read msTSExpireDate
    Write msTSExpireDate
    Read msTSLicenseVersion
    Write msTSLicenseVersion
    Read msTSManagingLS
    Write msTSManagingLS

    10. Click OK, and click OK again to save your changes

    When you have finished making the above permission changes please test by logging on to your RDS/TS as a standard domain A user.  After the user has logged on, check the event logs of the RD/TS Licensing server, there should not be a event id 4105 Warning for the user in the System log, and there should be a event id 4143 Information entry for the user under Microsoft-Windows-TerminalServices-Licensing/Admin log.

    Please also run another Per User CAL Usage report, save it as a csv, and verify that the test user was issued a Per User TS/RDS CAL.  If you are getting 4105 warnings for domain B as well, please repeat the instructions except this time change the permissions on the OU that your domain B users are in.

    Thanks.

    -TP

    • Marked as answer by sesolandshine Thursday, February 03, 2011 11:09 AM
    Wednesday, February 02, 2011 10:11 AM

All replies

  • Hi,

     

     

    Please make sure you don't specify the following policy to avoid it.

     

    Control the Issuance of Remote Desktop Services Client Access Licenses (RDS CALs)

    http://technet.microsoft.com/en-us/library/cc725704.aspx

     

     

    Meanwhile, please let me know the exact message what is from RD Licensing Diagnostics.

     

     

     

    Thanks.

    Wednesday, February 02, 2011 8:45 AM
  • Hi,

    On your RD/TS Licensing server, please check for event id 4105 warnings with source TerminalServices-Licensing.  If your RD/TS Licensing server is on a DC please make the network service account a member of the Terminal Server License Servers Group in both domains as well.  Restart the RD/TS Licensing service.

    If there are 4105 warnings, please check if they are only regarding users from domain A or both domain A and domain B.  It would not surprise me if there are some from domain B included.

    Please run a Per User CAL Usage Report on your RD/TS Licensing server, then right-click on the generated report and save it as a csv file.  Are any of the users from domain A listed in the csv file?

    Is your AD schema 2003 or have you updated it to 2008?  Below are instructions to correct the 4105 warnings (which when fixed will allow Per User CALs to be tracked).  They are for a 2008 schema being updated from a 2008 DC:

    1. Logon to your 2008 domain A DC as an administrator
    2. Start--Run--adsiedit.msc
    3. In the left pane, navigate to where the OU for your domain A users is located
    4. In the left pane, right-click on CN=<Your OU> and choose Properties
    5. On the Security tab, click the Advanced button
    6. Click the Locations button and select your domain B and click OK (enter creds as needed)
    7. Click the Add button, type Terminal Server License Servers and click OK
    8. On the Properties tab, select Descendant User objects in the Apply onto box
    9. In the Permissions box, select Allow for all of the following:

    Read msTSExpireDate
    Write msTSExpireDate
    Read msTSLicenseVersion
    Write msTSLicenseVersion
    Read msTSManagingLS
    Write msTSManagingLS

    10. Click OK, and click OK again to save your changes

    When you have finished making the above permission changes please test by logging on to your RDS/TS as a standard domain A user.  After the user has logged on, check the event logs of the RD/TS Licensing server, there should not be a event id 4105 Warning for the user in the System log, and there should be a event id 4143 Information entry for the user under Microsoft-Windows-TerminalServices-Licensing/Admin log.

    Please also run another Per User CAL Usage report, save it as a csv, and verify that the test user was issued a Per User TS/RDS CAL.  If you are getting 4105 warnings for domain B as well, please repeat the instructions except this time change the permissions on the OU that your domain B users are in.

    Thanks.

    -TP

    • Marked as answer by sesolandshine Thursday, February 03, 2011 11:09 AM
    Wednesday, February 02, 2011 10:11 AM
  • Hi

    I disabled the policy (Control the issuance of.... ), didn't help. The same error remains: RDS CALs are not available for this Remote Desktop Session Server, and Licensing Diagnosis has identified licensing problems for the RDS Session Host server. The diagnostic tools furthermore gives:

    Suggested Resolution: Provide administrator credentuials for the Remote Desktop Services license server.  Problem:
    To identified possible licensing issues, administrator credentials for the license server are required.

    --

    I do get the event ID 4105 for the users from domain A. Following the next post: The users from domain A have in their security properties the "Terminal Server License Server" group, but this group belongs to domain A.

    I tried to add the group for domain B BUT the search function doesn't find it. I check the property of this domain B  object and it is a "builtin local" group. Wonder if that makes the group invisible for domain A? And perhaps there lies the problem?

    What do you think?

    Thanks for the help!

    /AC

    Thursday, February 03, 2011 11:22 AM
  • Hi,

     

     

    Have you tried to create a Universal Group on the Domain B, and then put the domain A user into this group? If this works, you can add this Universal Group to the Builtin local group when configuring the license permission on domain B.

     

    For the Event 4105, please refer to the following Microsoft article to resolve it.

     

    Event ID 4105 — Terminal Services Per User Client Access License Tracking and Reporting

    http://technet.microsoft.com/en-us/library/cc775179(WS.10).aspx

     

     

    Furthermore, If you use the Windows Server 2008 as the license server to issue CAL, please refer to the hotfix below that helps to fix it when issuing CAL to Windows Server 2008 R2.

     

    An update is available that enables the Terminal Services license servers that are running Windows Server 2008 to be able to use the CALs for the Windows Server 2008 R2 Remote Desktop Services

    http://support.microsoft.com/kb/968074

     

     

     

    Thanks.

    Friday, February 04, 2011 2:45 AM
  • Hi

    Thanks for the help...  but I cannot make it work. I guess I will have to find a workaround...

    The reason is the design of the forest and domains:

    Posted suggestions fails ->

    A. I cannot add the permission "domain B Terminal Server License Server" to the domain A users (RW msTSExpireDate and so on). This because the domain B group is not found in domain A.

    B. Domain A users cannot be added to the universal group in domain B, the reason is: because foreign security principals cannot be members of universal groups.

    Thanks

    /AC

     

    Wednesday, February 09, 2011 8:43 AM