[THIN] Re: W2K3 TSCAL License Server in multiple untrusted Domains.
- From: Martin Stephenson <martin.stephenson@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 9 Feb 2005 20:31:03 +1000
After several weeks of waiting for an answer from Microsoft (I lodged
a Premiere support call on this) they confirmed the requirement where
issuing licenses across domains requires a full 2 way trust between
them. Which is fine if your all in the same Forest.
Of course we have multiple untrusted Forests so we needed another
solution which is to place the TS Licencing server in a Workgroup i.e.
not a Domain. Then any Terminal Server in any Domain which has full
TCP/IP and RPC connectivity will
be able to receive CALs from the License server. (I have not
personally tested this beyond confirming that the TS server can see
the License server by using LSView, however the local and quite
helpful Microsoft support engineer assures me it will work).
As expected the Auto Discovery process will not work with this setup
but adding the Reg key in the TS is something we already do.
One change I would like to see from Microsoft is to allow the use of a
DNS service record to locate the TS Licensing server. With the
current version the LDAP entry is restricted to License servers in the
same Domain or Forest, which in our case is of no use.
Martin.
On Thu, 16 Dec 2004 09:17:44 +1000, Martin Stephenson
<martin.stephenson@xxxxxxxxx> wrote:
> I just thought of another possible solution, which we will probably
> ask Microsoft when we raise a call about this.
>
> We could setup the new W2K3 Licence Server in its own Domain and
> Forest and establish inter Forest trusts between this new Licence
> Domain and the other Domains. That way all of the existing untrusted
> Domains will continue to not trust each other and we will still be
> able to centralise our TSCAL Licencing.
>
> So has anyone tried this solution?
>
> Martin.
>
> On Thu, 16 Dec 2004 09:11:31 +1000, Martin Stephenson
> <martin.stephenson@xxxxxxxxx> wrote:
> > If you take a look at KB279561
> > (http://support.microsoft.com/default.aspx?scid=kb;en-us;q279561) it
> > says "The license servers and the terminal servers must be in the same
> > domain or the servers must be in domains that trust each other." This
> > seems to be something new to W2K3 as that statement is not in the
> > corresponding KB239107 for W2K.
> >
> > Unfortunately none of the doco I have read from Microsoft, Citrix,
> > Brian Madden or even CNET
> > (http://www.cnetasia.com/enterprise/netadmin/0,39035505,39117823-1,00.htm)
> > details what kind of Licence Server Mode should be used for Multiple
> > Untrusted Domains. Perhaps Workgroup mode might be the choice for us
> > but I thought someone on this list may know for sure.
> >
> > It seems rather unlikely (political reasons) that we will be able to
> > establish trusts between the existing Domains. So either we work out
> > a way to make a single W2K3 Licence Server issue TSCALs to multiple
> > untrusted Domains or we setup an individual Licence Server for each
> > Domain.
> >
> > Anyone have a solution?
> >
> > Martin.
> >
> > On Sun, 12 Dec 2004 12:12:14 +0100, Jeremy Thomas <jez@xxxxxxxxxxxxx> wrote:
> > > "Can anyone confirm that for a W2K3 License Server to issue TS CALs to W2K
> > > TS clients on another Domain, do you need to have these 2 Domains Trusted?
> > > If the Trust is required will it work as an Inter Forest Trust and can it
> > > just be in one direction?"
> > >
> > > I'm basing this on how it's /supposed/ to work, so do test.
> > > - Per device mode:
> > > A W2K client (WS or Server) needs to have a TSCAL token to access a W2K3
> > > terminal server running in "per device" licensing mode. So the TS looks at
> > > the client and says "hey, that's a valid token" and lets it access TS
> > > services It does not care where the TSCAL was issued from, and won't check
> > > it at that point with the licensing server. However if the TSCAL is due
> > > for
> > > renewal, it will need to go back to the server from which it was issued to
> > > attempt to renew the lease for that TSCAL and re-issue it.
> > > - Per user mode:
> > > The TS says "I'm in per user mode" and does not check the TSCAL. Only
> > > works
> > > for Y2K3 - not W2K.
> > >
> > > Either way, the terminal server checks periodically that ther IS a valid
> > > license server somewhere (I can't remember exactly when or how)
> > > No mention of trusts => I think it's safe to assume that this does not
> > > have
> > > anything to do with domain trusts.
> > > I would have thought that given that the TS licence service is not AD
> > > integrated, you should find that it works totally independantly of
> > > anything
> > > else you have.
> > >
> > > I don't know what happens to the TSCAL if you try to use a client on 2
> > > different systems that are totally unrelated both running in per device
> > > mode. Theoretically, the license server from A should recognise a TSCAL
> > > from
> > > B as being valid, but then how does it re-issue a TSCAL to a B machine
> > > from
> > > the A license pool? Would it require the client to have 2 TSCALs, one for
> > > A,
> > > one for B? (Note - this is not an issue if the license servers can see
> > > each
> > > other and sort it out between them)
> > >
> > > You do need your license servers set up in Enterprise mode. The only place
> > > I've ever seen that explained unambiguously is in one of Brian Madden's
> > > books.
> > >
> > >
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> > > Behalf
> > > Of Martin Stephenson
> > > Sent: zondag 12 december 2004 2:32
> > > To: Thin List
> > > Subject: [THIN] W2K3 TSCAL License Server in multiple untrusted Domains.
> > >
> > > I have searched through the first couple of hundred hits on this topic
> > > on the Thin List archive and cant find the answers, so hopefully
> > > someone here can help.
> > >
> > > We have a requirement to manage all TS CALS on one pair of W2K3
> > > servers, which will be located at a pair of Data Centres in the Head
> > > Office. We have multiple untrusted AD (W2K & W2K3) Domains and
> > > several Citrix Farms all connected via various quality WAN links. The
> > > TS servers will have the reg key set which points to the License
> > > Server.
> > >
> > > We were previously able to use a W2K License Server to issue TS CALs
> > > to clients in multiple untrusted AD Domains. In initial testing with
> > > the W2K3 License Server, we have found that it is no longer issuing
> > > license across untrusted Domains. There is a KB article that pretty
> > > much suggest (in a little foot note) that you should have trusted
> > > Domains for this to work on W2K3.
> > >
> > > Can anyone confirm that for a W2K3 License Server to issue TS CALs to
> > > W2K TS clients on another Domain, do you need to have these 2 Domains
> > > Trusted? If the Trust is required will it work as an Inter Forest
> > > Trust and can it just be in one direction?
> > >
> > > Secondly are there any known logon latency issues with having your
> > > W2K3 TS Licensing Server located at the far end of a WAN link from
> > > your client W2K TS? For some reason I have this nagging thought that
> > > when a user logs into a remote W2K TS and obtains a license from the
> > > Licencing server located a couple of thousand Km away that there will
> > > be added delay to the logon process. And if this is the case, will
> > > the delay still occur even after the client has received a permanent
> > > CAL?
> > >
> > > Martin.
> > > ********************************************************
> > > This Weeks Sponsor Activaeon.com
> > > Reduce licensing costs with activAeon XA and
> > > get one month completely free.
> > > http://www.activaeon.com
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ThinWiki community
> > > http://www.thinwiki.com
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or
> > > set Digest or Vacation mode use the below link:
> > > http://thin.net/citrixlist.cfm
> > >
> > > ---
> > > Incoming mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.808 / Virus Database: 550 - Release Date: 8/12/2004
> > >
> > > ---
> > > Outgoing mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.808 / Virus Database: 550 - Release Date: 8/12/2004
> > >
> > > ********************************************************
> > > This Weeks Sponsor Activaeon.com
> > > Reduce licensing costs with activAeon XA and
> > > get one month completely free.
> > > http://www.activaeon.com
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ThinWiki community
> > > http://www.thinwiki.com
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or
> > > set Digest or Vacation mode use the below link:
> > > http://thin.net/citrixlist.cfm
> > >
> >
>
********************************************************
This Weeks Sponsor: ThinPrint, GmbH
Now available: .print Remote Desktop Printing Engine
for Microsoft Terminal Services
http://www.thinprint.com/dotprint/index.php?s=682&lc=1
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
