Article ID: 2473823 - View products that this article applies to.
This article provides information on the questions around the supportability (or recommended approach) of setting up Remote Desktop (RD) Licensing across domain, forest or workgroups.
Note: In Windows Server 2008 R2, Terminal Services is renamed to Remote Desktop Services (RDS).
Can the RD Licensing (Terminal Server Licensing) server issue a Client Access License (CAL) to users or devices connecting to RD Session Host (Terminal Server) servers under any of the following conditions?
For both Per Device and Per User CALs issuance to work, the RD Session Host and RD Licensing server in any one of the following three configurations:
Here is more information on these scenarios:
RDS Host and RDS licensing servers are in the same workgroup
Please consider the following points while configuring RDS and RDS licensing servers in a workgroup environment:
In Windows 2003, you can create a registry key to override the discovery of the licensing server. For more information, please refer the article How to override the license server discovery process in Windows Server 2003 Terminal Services
In Windows 2008 R2, automatic license server discovery is no longer supported for RD Session Host servers. You must specify the name of a license server for the RD Session Host server to use by using Remote Desktop Session Host Configuration snap-in. For more information, please refer the article Specify a License Server for an RD Session Host Server to Use
RDS Host and RDS licensing serves are in the same domain
In an Active Directory Domain scenario, we can have RDS Host and RDS licensing servers either on the same server or different servers. Please consider the following points while configuring RDS environment in a domain scenario:
· You can install both (Per Device and Per User) CALs on RDS licensing server.
· The computer account for the license server must be a member of the Terminal Server License Servers group in AD DS. If the license server is installed on a domain controller, the Network Service account must also be a member of the Terminal Server License Servers group
· To restrict the issuance of RDS CALs, you can add RDS Host Servers into Terminal Server Computers group on RDS Licensing server and then enable the License server security group policy setting on RDS Licensing server.
· The License server security group policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote \RD Licensing and can be configured by using either the Local Group Policy Editor or the Group Console (GPMC).
RDS Host Servers are in one domain/forest and RDS Licensing server is in another domain/forest
In this kind of scenario, you should consider the following points:
· There should be a two-way trust between these domains/forests. It can be either Forest Trust or External Trust.
· All the required ports should be opened on the firewall. If you have any questions about the ports that need to be opened, please click here
· To issue RDS Per User CALs to users in other domains, there must be a two-way trust between the domains, and the license server must be a member of the Terminal Server License Servers group in those domains.
· To restrict the issuance of RDS CALs, you can add RDS Host Servers into Terminal Server Computers group on RDS Licensing servers.
· Configure RDS licensing server on all RDS Host Servers in each domain/forest. You can do it through RDS host configuration snap-in or through a group policy.
· Add administrators group of each domain/forest in the local administrators of RDS licensing server. This way, you’ll not get a prompt to enter your credentials when you’ll open RDS host configuration snap-ins in trusted domains/forests.
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2473823 - Last Review: July 11, 2014 - Revision: 2.0