Re: Liscencing for servers outside our domain
From
http://ts.veranoest.net/ts_faq_licensing.htm#LS_untrusted_domains
Q: Can I use a single TS Licensing Server to issue TS CALs to
Terminal Servers in multiple untrusted domains and workgroups?
A: Terminal Server Licensing Servers can only issue TS CALs to
Terminal Servers which are located in the same domain or in trusted
domains. This is documented in this KB article:
279561 - How to Override the License Server Discovery Process in
Windows Server 2003 Terminal Services
http://support.microsoft.com/?kbid=279561
If you want a single TS Licensing Server to issue TS CALs to
Terminal Servers in multiple, untrusted domains and workgroups, you
will have to place the TS Licencing server in a workgroup, not a
domain. Then any Terminal Server in any domain or workgroup will be
able to receive TS CALs from the TS License server.
The License Server Auto Discovery process will not work with this
setup, but adding the Preferred Licensing Server registry key in
the Terminal Servers will fix that. Be sure to add the correct
registry key, follow KB 279561 for 2003 Terminal Servers and 239107
for W2K Terminal Servers.
To give anonymous connections access to the Licensing Server, you
also have to make sure that the access token for anonymous
connections includes the Everyone group.
If the TS Licensing Server runs W2K, configure this local policy
setting:
Local Security Policy - Security Settings\Local Policies
\Security Options\Additional restrictions for anonymous connections
"No access without explicit anonymous permissions" - Disable
If the TS Licensing Server runs 2003, configure this local policy
setting:
Local Security Policy - Security Settings\Local Policies
\Security Options
"Network access: Let Everyone permissions apply to anonymous
users" - Enable
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?VG9ueVplaWdsZXI=?=
<TonyZeigler@discussions.microsoft.com> wrote on 05 jul 2007 in
microsoft.public.windows.terminal_services:
> Scouted that out - it all went well until I tried to add the
> computer to the list of computers. When I try to add the
> computer it of course says that it can't find it because I
> havn't trusted that domain....
>
> (That policy setting was previously not configured).
>
> Ie., it still seems like the root issue - the domains are not
> trusted - is still the issue. Given that I don't want the remote
> users from the client potentially accessing machines on our
> domain, is there any secure way to setup a trust between the
> domains that limits the Y domain to *just* using the liscencing
> server?
>
> Thanks for the help so far tho! At least I'm learning!
>
> "Helge Klein" wrote:
>
>> There is a group policy setting that affects which TS are
>> allowed to get licenses from a LS. Check:
>>
>> Computer Configuration/Administrative Templates/Windows
>> Components/ Terminal Services/Licensing
>>
>> You can find a detailed description of this in the following
>> white paper:
>>
>> Windows Server 2003 Terminal Server Licensing
>> http://www.microsoft.com/windowsserver2003/techinfo/overview/ter
>> mservlic.mspx
>>
>> I hope this helps.
>>
>> Helge
>>
>> On 5 Jul., 22:04, TonyZeigler
>> <TonyZeig...@discussions.microsoft.com> wrote:
>> > Yep, tried that, but maybe we are doing something wrong. Ie.,
>> > in the TS Config of domain Y, we list the liscencing server
>> > that is on domain X. It then gives us an error saying that
>> > there is not a valid liscencing server on that server. We can
>> > ping & tracert just fine, but no luck on getting the
>> > liscencing server to respond.
>> >
>> > I had been looking thru the articles on the support site and
>> > I believe one of the articles mentioned that the domains had
>> > to be trusted. Don't recall the article number at this point
>> >
>> >
>> > If it is supposed to be possible, any hints on what to look
>> > for in regards to the problem?
>> >
>> > "Helge Klein" wrote:
>> > > I suppose you are talking about TS CALs and the TS
>> > > licensing service. Well, you do not have to worry: TS
>> > > licensing is domain independent. Just make sure you point
>> > > your Terminal Servers to the correct license server (in
>> > > Terminal Services Configuration).
>> >
>> > > I hope this helps.
>> >
>> > > Helge
>> >
>> > > On 5 Jul., 19:48, TonyZeigler
>> > > <TonyZeig...@discussions.microsoft.com> wrote:
>> > > > Current setup:
>> > > > Domain X that serves the main office for our small
>> > > > company. Domain Y which is a client's server we are
>> > > > setting up for them.
>> >
>> > > > While the client's server is at our site, we would like
>> > > > to allow them to remote into it, and use liscences from
>> > > > the liscencing server we have in domain X.
>> >
>> > > > Both servers are 2003. I would be ok setting up a trust
>> > > > between the domains only if I could lock them down.
>> >
>> > > > Looking for Suggestions