Liscencing for servers outside our domain

  • Thread starter Thread starter TonyZeigler
  • Start date Start date
T

TonyZeigler

Guest
Current setup:
Domain X that serves the main office for our small company.
Domain Y which is a client's server we are setting up for them.

While the client's server is at our site, we would like to allow them to
remote into it, and use liscences from the liscencing server we have in
domain X.

Both servers are 2003. I would be ok setting up a trust between the domains
only if I could lock them down.

Looking for Suggestions :)
 
Re: Liscencing for servers outside our domain

I suppose you are talking about TS CALs and the TS licensing service.
Well, you do not have to worry: TS licensing is domain independent.
Just make sure you point your Terminal Servers to the correct license
server (in Terminal Services Configuration).

I hope this helps.

Helge

On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com>
wrote:
> Current setup:
> Domain X that serves the main office for our small company.
> Domain Y which is a client's server we are setting up for them.
>
> While the client's server is at our site, we would like to allow them to
> remote into it, and use liscences from the liscencing server we have in
> domain X.
>
> Both servers are 2003. I would be ok setting up a trust between the domains
> only if I could lock them down.
>
> Looking for Suggestions :)
 
Re: Liscencing for servers outside our domain

Yep, tried that, but maybe we are doing something wrong. Ie., in the TS
Config of domain Y, we list the liscencing server that is on domain X. It
then gives us an error saying that there is not a valid liscencing server on
that server. We can ping & tracert just fine, but no luck on getting the
liscencing server to respond.

I had been looking thru the articles on the support site and I believe one
of the articles mentioned that the domains had to be trusted. Don't recall
the article number at this point :(

If it is supposed to be possible, any hints on what to look for in regards
to the problem?


"Helge Klein" wrote:

> I suppose you are talking about TS CALs and the TS licensing service.
> Well, you do not have to worry: TS licensing is domain independent.
> Just make sure you point your Terminal Servers to the correct license
> server (in Terminal Services Configuration).
>
> I hope this helps.
>
> Helge
>
> On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com>
> wrote:
> > Current setup:
> > Domain X that serves the main office for our small company.
> > Domain Y which is a client's server we are setting up for them.
> >
> > While the client's server is at our site, we would like to allow them to
> > remote into it, and use liscences from the liscencing server we have in
> > domain X.
> >
> > Both servers are 2003. I would be ok setting up a trust between the domains
> > only if I could lock them down.
> >
> > Looking for Suggestions :)

>
>
>
 
Re: Liscencing for servers outside our domain

There is a group policy setting that affects which TS are allowed to
get licenses from a LS. Check:

Computer Configuration/Administrative Templates/Windows Components/
Terminal Services/Licensing

You can find a detailed description of this in the following white
paper:

Windows Server 2003 Terminal Server Licensing
http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx

I hope this helps.

Helge

On 5 Jul., 22:04, TonyZeigler <TonyZeig...@discussions.microsoft.com>
wrote:
> Yep, tried that, but maybe we are doing something wrong. Ie., in the TS
> Config of domain Y, we list the liscencing server that is on domain X. It
> then gives us an error saying that there is not a valid liscencing server on
> that server. We can ping & tracert just fine, but no luck on getting the
> liscencing server to respond.
>
> I had been looking thru the articles on the support site and I believe one
> of the articles mentioned that the domains had to be trusted. Don't recall
> the article number at this point :(
>
> If it is supposed to be possible, any hints on what to look for in regards
> to the problem?
>
> "Helge Klein" wrote:
> > I suppose you are talking about TS CALs and the TS licensing service.
> > Well, you do not have to worry: TS licensing is domain independent.
> > Just make sure you point your Terminal Servers to the correct license
> > server (in Terminal Services Configuration).

>
> > I hope this helps.

>
> > Helge

>
> > On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com>
> > wrote:
> > > Current setup:
> > > Domain X that serves the main office for our small company.
> > > Domain Y which is a client's server we are setting up for them.

>
> > > While the client's server is at our site, we would like to allow them to
> > > remote into it, and use liscences from the liscencing server we have in
> > > domain X.

>
> > > Both servers are 2003. I would be ok setting up a trust between the domains
> > > only if I could lock them down.

>
> > > Looking for Suggestions :)
 
Re: Liscencing for servers outside our domain

Scouted that out - it all went well until I tried to add the computer to the
list of computers. When I try to add the computer it of course says that it
can't find it because I havn't trusted that domain....

(That policy setting was previously not configured).

Ie., it still seems like the root issue - the domains are not trusted - is
still the issue. Given that I don't want the remote users from the client
potentially accessing machines on our domain, is there any secure way to
setup a trust between the domains that limits the Y domain to *just* using
the liscencing server?

Thanks for the help so far tho! At least I'm learning!

"Helge Klein" wrote:

> There is a group policy setting that affects which TS are allowed to
> get licenses from a LS. Check:
>
> Computer Configuration/Administrative Templates/Windows Components/
> Terminal Services/Licensing
>
> You can find a detailed description of this in the following white
> paper:
>
> Windows Server 2003 Terminal Server Licensing
> http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx
>
> I hope this helps.
>
> Helge
>
> On 5 Jul., 22:04, TonyZeigler <TonyZeig...@discussions.microsoft.com>
> wrote:
> > Yep, tried that, but maybe we are doing something wrong. Ie., in the TS
> > Config of domain Y, we list the liscencing server that is on domain X. It
> > then gives us an error saying that there is not a valid liscencing server on
> > that server. We can ping & tracert just fine, but no luck on getting the
> > liscencing server to respond.
> >
> > I had been looking thru the articles on the support site and I believe one
> > of the articles mentioned that the domains had to be trusted. Don't recall
> > the article number at this point :(
> >
> > If it is supposed to be possible, any hints on what to look for in regards
> > to the problem?
> >
> > "Helge Klein" wrote:
> > > I suppose you are talking about TS CALs and the TS licensing service.
> > > Well, you do not have to worry: TS licensing is domain independent.
> > > Just make sure you point your Terminal Servers to the correct license
> > > server (in Terminal Services Configuration).

> >
> > > I hope this helps.

> >
> > > Helge

> >
> > > On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com>
> > > wrote:
> > > > Current setup:
> > > > Domain X that serves the main office for our small company.
> > > > Domain Y which is a client's server we are setting up for them.

> >
> > > > While the client's server is at our site, we would like to allow them to
> > > > remote into it, and use liscences from the liscencing server we have in
> > > > domain X.

> >
> > > > Both servers are 2003. I would be ok setting up a trust between the domains
> > > > only if I could lock them down.

> >
> > > > Looking for Suggestions :)

>
>
>
 
Re: Liscencing for servers outside our domain

TS licensing is either domain wide or enterprise wide. Either of these
would not permit a remote server from attaining licenses.



Helge Klein wrote:
> I suppose you are talking about TS CALs and the TS licensing service.
> Well, you do not have to worry: TS licensing is domain independent.
> Just make sure you point your Terminal Servers to the correct license
> server (in Terminal Services Configuration).
>
> I hope this helps.
>
> Helge
>
> On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com>
> wrote:
>> Current setup:
>> Domain X that serves the main office for our small company.
>> Domain Y which is a client's server we are setting up for them.
>>
>> While the client's server is at our site, we would like to allow them to
>> remote into it, and use liscences from the liscencing server we have in
>> domain X.
>>
>> Both servers are 2003. I would be ok setting up a trust between the domains
>> only if I could lock them down.
>>
>> Looking for Suggestions :)

>
>
 
Re: Liscencing for servers outside our domain

From
http://ts.veranoest.net/ts_faq_licensing.htm#LS_untrusted_domains

Q: Can I use a single TS Licensing Server to issue TS CALs to
Terminal Servers in multiple untrusted domains and workgroups?

A: Terminal Server Licensing Servers can only issue TS CALs to
Terminal Servers which are located in the same domain or in trusted
domains. This is documented in this KB article:

279561 - How to Override the License Server Discovery Process in
Windows Server 2003 Terminal Services
http://support.microsoft.com/?kbid=279561

If you want a single TS Licensing Server to issue TS CALs to
Terminal Servers in multiple, untrusted domains and workgroups, you
will have to place the TS Licencing server in a workgroup, not a
domain. Then any Terminal Server in any domain or workgroup will be
able to receive TS CALs from the TS License server.

The License Server Auto Discovery process will not work with this
setup, but adding the Preferred Licensing Server registry key in
the Terminal Servers will fix that. Be sure to add the correct
registry key, follow KB 279561 for 2003 Terminal Servers and 239107
for W2K Terminal Servers.

To give anonymous connections access to the Licensing Server, you
also have to make sure that the access token for anonymous
connections includes the Everyone group.
If the TS Licensing Server runs W2K, configure this local policy
setting:

Local Security Policy - Security Settings\Local Policies
\Security Options\Additional restrictions for anonymous connections
"No access without explicit anonymous permissions" - Disable

If the TS Licensing Server runs 2003, configure this local policy
setting:

Local Security Policy - Security Settings\Local Policies
\Security Options
"Network access: Let Everyone permissions apply to anonymous
users" - Enable
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?VG9ueVplaWdsZXI=?=
<TonyZeigler@discussions.microsoft.com> wrote on 05 jul 2007 in
microsoft.public.windows.terminal_services:

> Scouted that out - it all went well until I tried to add the
> computer to the list of computers. When I try to add the
> computer it of course says that it can't find it because I
> havn't trusted that domain....
>
> (That policy setting was previously not configured).
>
> Ie., it still seems like the root issue - the domains are not
> trusted - is still the issue. Given that I don't want the remote
> users from the client potentially accessing machines on our
> domain, is there any secure way to setup a trust between the
> domains that limits the Y domain to *just* using the liscencing
> server?
>
> Thanks for the help so far tho! At least I'm learning!
>
> "Helge Klein" wrote:
>
>> There is a group policy setting that affects which TS are
>> allowed to get licenses from a LS. Check:
>>
>> Computer Configuration/Administrative Templates/Windows
>> Components/ Terminal Services/Licensing
>>
>> You can find a detailed description of this in the following
>> white paper:
>>
>> Windows Server 2003 Terminal Server Licensing
>> http://www.microsoft.com/windowsserver2003/techinfo/overview/ter
>> mservlic.mspx
>>
>> I hope this helps.
>>
>> Helge
>>
>> On 5 Jul., 22:04, TonyZeigler
>> <TonyZeig...@discussions.microsoft.com> wrote:
>> > Yep, tried that, but maybe we are doing something wrong. Ie.,
>> > in the TS Config of domain Y, we list the liscencing server
>> > that is on domain X. It then gives us an error saying that
>> > there is not a valid liscencing server on that server. We can
>> > ping & tracert just fine, but no luck on getting the
>> > liscencing server to respond.
>> >
>> > I had been looking thru the articles on the support site and
>> > I believe one of the articles mentioned that the domains had
>> > to be trusted. Don't recall the article number at this point
>> > :(
>> >
>> > If it is supposed to be possible, any hints on what to look
>> > for in regards to the problem?
>> >
>> > "Helge Klein" wrote:
>> > > I suppose you are talking about TS CALs and the TS
>> > > licensing service. Well, you do not have to worry: TS
>> > > licensing is domain independent. Just make sure you point
>> > > your Terminal Servers to the correct license server (in
>> > > Terminal Services Configuration).
>> >
>> > > I hope this helps.
>> >
>> > > Helge
>> >
>> > > On 5 Jul., 19:48, TonyZeigler
>> > > <TonyZeig...@discussions.microsoft.com> wrote:
>> > > > Current setup:
>> > > > Domain X that serves the main office for our small
>> > > > company. Domain Y which is a client's server we are
>> > > > setting up for them.
>> >
>> > > > While the client's server is at our site, we would like
>> > > > to allow them to remote into it, and use liscences from
>> > > > the liscencing server we have in domain X.
>> >
>> > > > Both servers are 2003. I would be ok setting up a trust
>> > > > between the domains only if I could lock them down.
>> >
>> > > > Looking for Suggestions :)
 
Back
Top