Verifying Computer Settings for Troubleshooting Terminal Server Licensing

  • Article

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Settings to Verify Before You Troubleshoot

Before you begin troubleshooting, verify that your computer is configured properly and that Terminal Server Licensing is set up and running correctly. Following are important general questions to consider before you begin more specific troubleshooting:

  • Which operating system is the client running (the client that is attempting to connect to the terminal server)?

  • Which operating system is the terminal server running (the terminal server to which the client is attempting to connect)?

  • Do you have a computer that is running the Terminal Server Licensing service?

  • Which operating system is the license server running?

  • How many licenses are available on the license server?

After you have answered these questions, you can proceed with the following more specific troubleshooting steps:

Verify that you have administrative rights on the computer you are troubleshooting

Install all critical security updates for Windows 2000 or Windows Server  2003

Update all of your software, including non-Microsoft software

Verify that the operating system of the Terminal Server license server is compatible with the operating system of the terminal server

Review additional configuration requirements and considerations for implementing Terminal Server Licensing in different environments

Verify that Terminal Server Licensing is correctly installed on the license server

Verify that the Terminal Server Licensing service is started and that the startup type is set to Automatic

Verify that the license server is activated

Verify that the license server has a sufficient number of CALs for clients

Verify that the Terminal Server Licensing mode on the terminal server matches the type of CALs on the license server (applicable to Windows Server 2003 only)

Verify that the Authenticated Users group on the terminal server has the appropriate rights

Verify the value of the RestrictAnonymous registry key

Verify that the TS-License-Server object exists in Active Directory, if the license server is an Enterprise license server

Verify that you have administrative rights on the computer you are troubleshooting

You cannot modify Terminal Server Licensing settings unless you are a member of the Administrators group on the computer that you are administering.

To verify that you are a member of the Administrators group

  1. Open the Computer Management snap-in.

  2. In the console tree, double-click Local Users and Groups, and then click Groups.

  3. In the details pane, double-click Administrators and verify that your account name or a group in which your account is a member appears in the Members list.

You can also tell if you have the appropriate administrative rights to configure Terminal Server Licensing by opening the Terminal Server Licensing tool. If you do not have administrative rights, all of the controls in the Terminal Server Licensing user interface (UI) will appear dimmed and a warning will appear telling you that you must be a computer administrator to change any settings.

To open Terminal Server Licensing

  • Click Start, point to Control Panel, Administrative Tools, and then click Terminal Server Licensing.

Install all critical updates and security updates for Windows 2000 or Windows Server 2003

Some updates might be required for Terminal Server Licensing to function properly.

To verify that you have all critical updates and security patches

  • Click Start, click Windows Update, and then follow the instructions that appear on your screen.

Update all of your software, including non-Microsoft software

Terminal Server Licensing might not function properly unless you update your operating system and programs with the most recent service pack or software updates. For example, if your license servers or terminal servers are running Windows 2000 Service Pack 3 (SP3) or earlier, you should install Service Pack 4 (SP4) on those servers. Newer versions of many programs, such as antivirus programs, might resolve any problems you have.

Verify that the operating system of the Terminal Server license server is compatible with the operating system of the terminal server

Note the following operating system compatibility requirements for Terminal Server Licensing.

  • A license server running Windows Server 2000 cannot issue client access licenses (CALs) to terminal servers running Windows Server 2003 operating systems.

  • A license server running a Windows Server 2003 operating system can issue CALs to terminal servers running Windows Server 2000 or Windows Server 2003, or to terminal servers running Windows Server 2000 and terminal servers running Windows Server 2003 in a mixed environment.

Verify that both the license server and the terminal server are running either the release version of Windows Server 2003 or a pre-release (evaluation) version of Windows Server 2003. A license server that is running a release version of Windows Server 2003 cannot communicate with a terminal server running an evaluation version of Windows Server 2003, and vice-versa.

Note

It is recommended that you do not install Terminal Server Licensing on a compressed drive. This can cause the license server database to become corrupted. The default location for the license server database is systemroot\System32\LServer. If the license server database is corrupted, then you must remove and then reinstall Terminal Server Licensing. If you encounter problems removing and reinstalling Terminal Server Licensing, you might need to contact the Microsoft Clearinghouse. For information about how to contact the Clearinghouse, see Locate the Microsoft Clearinghouse telephone number for your country or region (https://go.microsoft.com/fwlink/?LinkId=48885).

Review additional configuration requirements and considerations for implementing Terminal Server Licensing in different environments

To ensure that license server discovery works as expected, review configuration requirements and considerations, and verify that the requirements have been met for your environment. For information, see Understanding Troubleshooting Considerations for Specific Terminal Server Licensing Environments.

Verify that Terminal Server Licensing is correctly installed on the license server

For step-by-step instructions, see Verify that Terminal Server Licensing is correctly installed on the license server.

Verify that the Terminal Server Licensing service is started and that the startup type is set to Automatic

For step-by-step instructions, see Verify that the Terminal Server Licensing service is started and the startup type is set to Automatic.

Verify that the license server is activated

Windows Server 2003 Terminal Services supports the following licensing modes: Per Device and Per User. A Per Device CAL gives each client computer or device the right to access a terminal server that is running Windows Server 2003. A Per User CAL gives one user the right to access a terminal server from an unlimited number of devices.

By default, when the Per Device licensing mode is used, after a client logs on and authenticates to a terminal server for the first time, and after the terminal server locates a license server, the terminal server issues the client a temporary license. To issue clients permanent, Per Device licenses, a license server must be activated.

Note

If Per User licensing is used, after the terminal server discovers a license server, no further communication takes place between the servers, and client connections are allowed regardless of the number of licenses installed. Therefore, when Per User licensing is used, the license server does not need to be activated.

To activate a license server, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).

To verify that a license server is activated

  1. Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, point to Control Panel, Administrative Tools, and then click Terminal Server Licensing.

  2. In the console tree, click the license server for which you want to verify the activation status.

  3. In the details pane, verify that activation status is Activated.

  4. If the status is Not Activated and you have Internet connectivity, right-click the server name, click Activate Server, select Automatic connection (recommended), and then click Next.

    If you do not have Internet connectivity, see Activate a Terminal Server License Server (https://go.microsoft.com/fwlink/?LinkId=48888) for alternate license server activation procedures.

  5. Follow the instructions in the wizard.

If necessary, at a later time you can change any license server properties, such as activation method and company information, that you set during the activation process.

Verify that the license server has a sufficient number of CALs for clients

You can use Terminal Server Licensing to verify whether a terminal server has a sufficient number of permanent, Per Device CALs to support the number of clients who require remote connections. When Per Device licensing is used, after a temporary license expires, a client can only connect to a terminal server if the license server can issue a permanent CAL, or if the terminal server is still within its licensing grace period. For step-by-step instructions on how to verify the number of CALs a license server has, see Verify that the license server has a sufficient number of CALs.

Important   Per User CALs are not enforced by Terminal Server. As a result, client connections can occur regardless of the number of licenses installed. This does not remove administrators from End User License Agreement (EULA) requirements to have a valid terminal server CAL for each user, however. Failure to have a Per User CAL for each user, if Per Device CALs are not being used, is a violation of the EULA. To ensure that you are in compliance with the EULA, make sure that you track the number of Per User licenses being used in your organization and that you have a sufficient number of licenses to provide a Per User CAL for each user.

The following text is from the EULA for Windows Server 2003:

"Two different TS CALs are available to you: 'Device' and 'User.' Each TS Device CAL permits one Device (used by any User) to conduct Windows Sessions on any of your Servers. Each TS User CAL permits one User (using any Device) to conduct Windows Sessions on any of your Servers. You may use a mix of TS Device CALs and TS User CALs simultaneously with the Server Software in your environment. You can have a Terminal Server request Per User licenses or Per Device (default) but not both simultaneously."

Note

On license servers running Windows Server 2003 Service Pack 1 (SP1), the numeric values for Per User licenses in the Total and Available columns in the Terminal Server Licensing tool are no longer displayed. Instead, the phrase "Not applicable" appears in these columns, to remind administrators that Per User licenses are not enforced. This phase does not indicate a problem with the installation or operation of Terminal Server Licensing.

Verify that the Terminal Server Licensing mode on the terminal server matches the type of CALs on the license server (applicable to Windows Server 2003 only)

For Terminal Server Licensing to function properly, you must ensure that the Terminal Server Licensing mode that you configure on the terminal server matches the type of CALs you have purchased and installed on the license server. You can verify whether the Terminal Server Licensing mode and type of CALs purchased match by doing one of the following:

Using Terminal Services Configuration (the most direct method)

Using Group Policy (in Windows Server 2003 Service Pack 1)

Note

If you use Group Policy to verify the Terminal Server Licensing mode and if the Group Policy setting is not properly applied to the Group Policy object (GPO) to which the terminal server is assigned, then the licensing mode that is displayed in Group Policy might not be valid. Therefore, using Terminal Services Configuration to verify the Terminal Server Licensing mode is a more direct method.

Using Terminal Services Configuration

To verify that the Terminal Server Licensing mode on the terminal server matches the type of CALs on the license server using Terminal Services Configuration

  1. On the terminal server, open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Control Panel, Administrative Tools, and then click Terminal Services Configuration.

  2. In the console tree, click Server Settings.

  3. In the details pane, right-click Licensing Mode, and then click Properties. Note the licensing mode (Per User or Per Device), and then click OK.

    Note

    A Per Device CAL gives each client computer or device the right to access a terminal server that is running Windows Server 2003. A Per User CAL gives one user the right to access a terminal server from an unlimited number of devices.

  4. On the license server, open Terminal Server Licensing.

  5. In the details pane, verify that the type of CALs installed on the license server match the Terminal Server Licensing mode that is configured on the terminal server.

Using Group Policy

To verify that the Terminal Server Licensing mode on the terminal server matches the type of CALs on the license server using Group Policy

  1. On the terminal server, open Group Policy.

  2. In Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click Set the Terminal Server licensing mode.

  3. If the setting is enabled, note the licensing mode (Per Device or Per User) that is selected in Specify the licensing mode for the terminal server.

    If the setting is disabled or not configured, the licensing mode that is specified during Setup or in Terminal Services Configuration is used.

    Note

    A Per Device CAL gives each client computer or device the right to access a terminal server that is running Windows Server 2003. A Per User CAL gives one user the right to access a terminal server from an unlimited number of devices.

  4. Click OK.

  5. On the license server, open Terminal Server Licensing.

  6. In the details pane, verify that the type of CALs installed on the license server match the Terminal Server Licensing mode that is configured on the terminal server.

Verify that the Authenticated Users group on the terminal server has the appropriate rights

For Terminal Server Licensing to function correctly, the Authenticated Users group on the terminal server must have the following two rights: Access this computer from the network and Bypass Traverse Checking. By default, the only Group Policy object that has the Access this computer from the network right defined is the Default Domain Controllers policy. Member servers and servers in a workgroup environment have the Access this computer from the network right defined in their local security policy.

To verify that the Authenticated Users group on the terminal server has the appropriate rights

  1. On the terminal server, open the appropriate policy (local policy or Group Policy).

  2. In the console tree, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\.

  3. In the details pane, right-click Access this computer from the network, and then click Properties.

  4. If Authenticated Users is not in the list of users and groups that have been granted this right, click Add User or Group.

  5. In Select Users or Groups, in Enter the object name to select, type Authenticated Users, click OK, and then click OK again to close the dialog box for this security setting.

  6. In the console tree, right-click Bypass Traverse Checking, and then click Properties.

  7. If Authenticated Users is not in the list of users and groups that have been granted this right, perform steps 5 and 6.

Additionally, users must also be members of the Remote Desktop Users group on the terminal server, as described in the following procedure, or you must assign the equivalent permissions manually. For more information, see Enabling users to connect remotely to the server (https://go.microsoft.com/fwlink/?LinkId=48887).

To add users to the Remote Desktop Users group

  1. Open Computer Management. To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

  2. In the console tree, click the Local Users and Groups node.

  3. In the details pane, double-click the Groups folder.

  4. Double-click Remote Desktop Users, and then click Add. By default, the Remote Desktop Users group is not populated. You must decide which users and groups should have permission to log on remotely, and then manually add them to the group.

  5. On the Select Users dialog box, click Locations... to specify the search location.

  6. Click Object Types... to specify the types of objects you want to search for.

  7. Type the name you want to add in the Enter the object names to select (examples): box.

  8. Click Check Names.

  9. When the name is located, click OK.

Verify the value of the RestrictAnonymous registry key

If you are not using Windows Server 2003 terminal servers with Windows Server 2003-based license servers, verify that the RestrictAnonymous registry key value on the license server is set to 0 or 1. In this scenario, if this registry key value is set to 2, then the license server cannot issue CALS. When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to resources that grant permissions to the Everyone group.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To verify the value of the RestrictAnonymous registry key

  1. On the license server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous

  3. Verify the value of the RestrictAnonymousregistry key.

  4. The three valid registry key values for Restrict Anonymous are equivalent to the following security settings in Local Security Policy:

    0 = None (rely on default permissions)

    1 = Do not allow enumeration of SAM accounts and shares

    2 = No access without explicit anonymous permissions

  5. If the value of the registry key is set to 2, then perform the following steps.

  6. Open Local Security Policy, and then navigate to Security Settings\Local Policies\Security Options. To open Local Security Policy, click Start, point to Settings, Control Panel, click Administrative Tools, and then click Local Security Policy.

  7. Double-click Additional restrictions for anonymous connections, and then click No access without explicit anonymous permissions.

  8. Restart the server.

    If the license server is a member of an Active Directory domain and a conflicting security setting is configured for the license server in Group Policy, the Group Policy setting overrides the local security setting. Therefore, to ensure that the required setting changes take effect (if you must change the settings) this procedure describes how to configure the setting change in Group Policy.

    In Windows Server 2003, you cannot set RestrictAnonymous to a value of 2 to prohibit anonymous connections. If you need to prohibit anonymous users from being granted the same access that is granted to members of the Everyone group, you must use the new Everyone Network access: Let Everyone permissions apply to anonymous users setting in Local Security Policies.

Verify that the TS-License-Server object exists in Active Directory, if the license server is an Enterprise license server

To determine the license server role (whether the license server is an Enterprise license server or a Domain license server), check the Role registry key value.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To check the Role registry key value

  1. On the license server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermServerLicensing\Parameters\

    If the registry key value is set to 0, then the license server is a Domain license server.

    If the registry key value is set to 1, then the license server is an Enterprise license server.

If the license server is an Enterprise License server, then the TS-Enterprise-License-Server object must exist in Active Directory.

To verify that the TS-Enterprise-License-Server object exists in Active Directory

  1. Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Active Directory Sites and Services.

  2. In the console tree, click Sites, and then click the site that contains the terminal server.

  3. In the details pane, click Licensing Site Settings.

  4. Right-click TS-Enterprise-License-Server, and then click Properties. The SiteServer attribute of the TS-Enterprise-License-Server object must specify the Distinguished Name (also known as DN) of the license server. For example: CN=TS-Enterprise-License-Server, CN=<SiteName>, CN=Configuration, DC=<DomainName>,DC=<RootDomainName>

  5. On the License Settings tab, verify the name of the license server.