Guest TonyZeigler Posted July 5, 2007 Posted July 5, 2007 Current setup: Domain X that serves the main office for our small company. Domain Y which is a client's server we are setting up for them. While the client's server is at our site, we would like to allow them to remote into it, and use liscences from the liscencing server we have in domain X. Both servers are 2003. I would be ok setting up a trust between the domains only if I could lock them down. Looking for Suggestions :)
Guest Helge Klein Posted July 5, 2007 Posted July 5, 2007 Re: Liscencing for servers outside our domain I suppose you are talking about TS CALs and the TS licensing service. Well, you do not have to worry: TS licensing is domain independent. Just make sure you point your Terminal Servers to the correct license server (in Terminal Services Configuration). I hope this helps. Helge On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com> wrote: > Current setup: > Domain X that serves the main office for our small company. > Domain Y which is a client's server we are setting up for them. > > While the client's server is at our site, we would like to allow them to > remote into it, and use liscences from the liscencing server we have in > domain X. > > Both servers are 2003. I would be ok setting up a trust between the domains > only if I could lock them down. > > Looking for Suggestions :)
Guest TonyZeigler Posted July 5, 2007 Posted July 5, 2007 Re: Liscencing for servers outside our domain Yep, tried that, but maybe we are doing something wrong. Ie., in the TS Config of domain Y, we list the liscencing server that is on domain X. It then gives us an error saying that there is not a valid liscencing server on that server. We can ping & tracert just fine, but no luck on getting the liscencing server to respond. I had been looking thru the articles on the support site and I believe one of the articles mentioned that the domains had to be trusted. Don't recall the article number at this point :( If it is supposed to be possible, any hints on what to look for in regards to the problem? "Helge Klein" wrote: > I suppose you are talking about TS CALs and the TS licensing service. > Well, you do not have to worry: TS licensing is domain independent. > Just make sure you point your Terminal Servers to the correct license > server (in Terminal Services Configuration). > > I hope this helps. > > Helge > > On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com> > wrote: > > Current setup: > > Domain X that serves the main office for our small company. > > Domain Y which is a client's server we are setting up for them. > > > > While the client's server is at our site, we would like to allow them to > > remote into it, and use liscences from the liscencing server we have in > > domain X. > > > > Both servers are 2003. I would be ok setting up a trust between the domains > > only if I could lock them down. > > > > Looking for Suggestions :) > > >
Guest Helge Klein Posted July 5, 2007 Posted July 5, 2007 Re: Liscencing for servers outside our domain There is a group policy setting that affects which TS are allowed to get licenses from a LS. Check: Computer Configuration/Administrative Templates/Windows Components/ Terminal Services/Licensing You can find a detailed description of this in the following white paper: Windows Server 2003 Terminal Server Licensing http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx I hope this helps. Helge On 5 Jul., 22:04, TonyZeigler <TonyZeig...@discussions.microsoft.com> wrote: > Yep, tried that, but maybe we are doing something wrong. Ie., in the TS > Config of domain Y, we list the liscencing server that is on domain X. It > then gives us an error saying that there is not a valid liscencing server on > that server. We can ping & tracert just fine, but no luck on getting the > liscencing server to respond. > > I had been looking thru the articles on the support site and I believe one > of the articles mentioned that the domains had to be trusted. Don't recall > the article number at this point :( > > If it is supposed to be possible, any hints on what to look for in regards > to the problem? > > "Helge Klein" wrote: > > I suppose you are talking about TS CALs and the TS licensing service. > > Well, you do not have to worry: TS licensing is domain independent. > > Just make sure you point your Terminal Servers to the correct license > > server (in Terminal Services Configuration). > > > I hope this helps. > > > Helge > > > On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com> > > wrote: > > > Current setup: > > > Domain X that serves the main office for our small company. > > > Domain Y which is a client's server we are setting up for them. > > > > While the client's server is at our site, we would like to allow them to > > > remote into it, and use liscences from the liscencing server we have in > > > domain X. > > > > Both servers are 2003. I would be ok setting up a trust between the domains > > > only if I could lock them down. > > > > Looking for Suggestions :)
Guest TonyZeigler Posted July 5, 2007 Posted July 5, 2007 Re: Liscencing for servers outside our domain Scouted that out - it all went well until I tried to add the computer to the list of computers. When I try to add the computer it of course says that it can't find it because I havn't trusted that domain.... (That policy setting was previously not configured). Ie., it still seems like the root issue - the domains are not trusted - is still the issue. Given that I don't want the remote users from the client potentially accessing machines on our domain, is there any secure way to setup a trust between the domains that limits the Y domain to *just* using the liscencing server? Thanks for the help so far tho! At least I'm learning! "Helge Klein" wrote: > There is a group policy setting that affects which TS are allowed to > get licenses from a LS. Check: > > Computer Configuration/Administrative Templates/Windows Components/ > Terminal Services/Licensing > > You can find a detailed description of this in the following white > paper: > > Windows Server 2003 Terminal Server Licensing > http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx > > I hope this helps. > > Helge > > On 5 Jul., 22:04, TonyZeigler <TonyZeig...@discussions.microsoft.com> > wrote: > > Yep, tried that, but maybe we are doing something wrong. Ie., in the TS > > Config of domain Y, we list the liscencing server that is on domain X. It > > then gives us an error saying that there is not a valid liscencing server on > > that server. We can ping & tracert just fine, but no luck on getting the > > liscencing server to respond. > > > > I had been looking thru the articles on the support site and I believe one > > of the articles mentioned that the domains had to be trusted. Don't recall > > the article number at this point :( > > > > If it is supposed to be possible, any hints on what to look for in regards > > to the problem? > > > > "Helge Klein" wrote: > > > I suppose you are talking about TS CALs and the TS licensing service. > > > Well, you do not have to worry: TS licensing is domain independent. > > > Just make sure you point your Terminal Servers to the correct license > > > server (in Terminal Services Configuration). > > > > > I hope this helps. > > > > > Helge > > > > > On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com> > > > wrote: > > > > Current setup: > > > > Domain X that serves the main office for our small company. > > > > Domain Y which is a client's server we are setting up for them. > > > > > > While the client's server is at our site, we would like to allow them to > > > > remote into it, and use liscences from the liscencing server we have in > > > > domain X. > > > > > > Both servers are 2003. I would be ok setting up a trust between the domains > > > > only if I could lock them down. > > > > > > Looking for Suggestions :) > > >
Guest Jeff Pitsch Posted July 6, 2007 Posted July 6, 2007 Re: Liscencing for servers outside our domain TS licensing is either domain wide or enterprise wide. Either of these would not permit a remote server from attaining licenses. Helge Klein wrote: > I suppose you are talking about TS CALs and the TS licensing service. > Well, you do not have to worry: TS licensing is domain independent. > Just make sure you point your Terminal Servers to the correct license > server (in Terminal Services Configuration). > > I hope this helps. > > Helge > > On 5 Jul., 19:48, TonyZeigler <TonyZeig...@discussions.microsoft.com> > wrote: >> Current setup: >> Domain X that serves the main office for our small company. >> Domain Y which is a client's server we are setting up for them. >> >> While the client's server is at our site, we would like to allow them to >> remote into it, and use liscences from the liscencing server we have in >> domain X. >> >> Both servers are 2003. I would be ok setting up a trust between the domains >> only if I could lock them down. >> >> Looking for Suggestions :) > >
Guest Vera Noest [MVP] Posted July 7, 2007 Posted July 7, 2007 Re: Liscencing for servers outside our domain From http://ts.veranoest.net/ts_faq_licensing.htm#LS_untrusted_domains Q: Can I use a single TS Licensing Server to issue TS CALs to Terminal Servers in multiple untrusted domains and workgroups? A: Terminal Server Licensing Servers can only issue TS CALs to Terminal Servers which are located in the same domain or in trusted domains. This is documented in this KB article: 279561 - How to Override the License Server Discovery Process in Windows Server 2003 Terminal Services http://support.microsoft.com/?kbid=279561 If you want a single TS Licensing Server to issue TS CALs to Terminal Servers in multiple, untrusted domains and workgroups, you will have to place the TS Licencing server in a workgroup, not a domain. Then any Terminal Server in any domain or workgroup will be able to receive TS CALs from the TS License server. The License Server Auto Discovery process will not work with this setup, but adding the Preferred Licensing Server registry key in the Terminal Servers will fix that. Be sure to add the correct registry key, follow KB 279561 for 2003 Terminal Servers and 239107 for W2K Terminal Servers. To give anonymous connections access to the Licensing Server, you also have to make sure that the access token for anonymous connections includes the Everyone group. If the TS Licensing Server runs W2K, configure this local policy setting: Local Security Policy - Security Settings\Local Policies \Security Options\Additional restrictions for anonymous connections "No access without explicit anonymous permissions" - Disable If the TS Licensing Server runs 2003, configure this local policy setting: Local Security Policy - Security Settings\Local Policies \Security Options "Network access: Let Everyone permissions apply to anonymous users" - Enable _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?VG9ueVplaWdsZXI=?= <TonyZeigler@discussions.microsoft.com> wrote on 05 jul 2007 in microsoft.public.windows.terminal_services: > Scouted that out - it all went well until I tried to add the > computer to the list of computers. When I try to add the > computer it of course says that it can't find it because I > havn't trusted that domain.... > > (That policy setting was previously not configured). > > Ie., it still seems like the root issue - the domains are not > trusted - is still the issue. Given that I don't want the remote > users from the client potentially accessing machines on our > domain, is there any secure way to setup a trust between the > domains that limits the Y domain to *just* using the liscencing > server? > > Thanks for the help so far tho! At least I'm learning! > > "Helge Klein" wrote: > >> There is a group policy setting that affects which TS are >> allowed to get licenses from a LS. Check: >> >> Computer Configuration/Administrative Templates/Windows >> Components/ Terminal Services/Licensing >> >> You can find a detailed description of this in the following >> white paper: >> >> Windows Server 2003 Terminal Server Licensing >> http://www.microsoft.com/windowsserver2003/techinfo/overview/ter >> mservlic.mspx >> >> I hope this helps. >> >> Helge >> >> On 5 Jul., 22:04, TonyZeigler >> <TonyZeig...@discussions.microsoft.com> wrote: >> > Yep, tried that, but maybe we are doing something wrong. Ie., >> > in the TS Config of domain Y, we list the liscencing server >> > that is on domain X. It then gives us an error saying that >> > there is not a valid liscencing server on that server. We can >> > ping & tracert just fine, but no luck on getting the >> > liscencing server to respond. >> > >> > I had been looking thru the articles on the support site and >> > I believe one of the articles mentioned that the domains had >> > to be trusted. Don't recall the article number at this point >> > :( >> > >> > If it is supposed to be possible, any hints on what to look >> > for in regards to the problem? >> > >> > "Helge Klein" wrote: >> > > I suppose you are talking about TS CALs and the TS >> > > licensing service. Well, you do not have to worry: TS >> > > licensing is domain independent. Just make sure you point >> > > your Terminal Servers to the correct license server (in >> > > Terminal Services Configuration). >> > >> > > I hope this helps. >> > >> > > Helge >> > >> > > On 5 Jul., 19:48, TonyZeigler >> > > <TonyZeig...@discussions.microsoft.com> wrote: >> > > > Current setup: >> > > > Domain X that serves the main office for our small >> > > > company. Domain Y which is a client's server we are >> > > > setting up for them. >> > >> > > > While the client's server is at our site, we would like >> > > > to allow them to remote into it, and use liscences from >> > > > the liscencing server we have in domain X. >> > >> > > > Both servers are 2003. I would be ok setting up a trust >> > > > between the domains only if I could lock them down. >> > >> > > > Looking for Suggestions :)
Recommended Posts