Skip to main content

Setting up your first RDS CAL Licensing

Remote Desktop Services (RDS) is one of the roles under server roles provided by Microsoft Windows Server. What makes RDS different from a usual remote desktop connection is the the number of concurrent connections to the remote host. By default Windows enables only two concurrent session for a user to access a remote server using RDP. If you require many users to connect to a remote server (aka Remote Desktop Session Host (RDSH) ), you will to procure client access license (CAL) to achieve the same. We'll see how to provision this setup and their requirements.

Requirements:

  1. Active Directory Domain
  2. RDLS (Remote Desktop Licensing Server)
  3. License(s)
In this blog, I assume that you already have an active directory domain. Let us go ahead and look at how to setup RDLS.

Installation

Deployment of RDLS can be any member server on the active directory domain. It is not obligatory to put it on RDSH farms. Afore we commence the installation, we need to add the member server in which the RDLS role is targetted to a AD domain group called "Terminal Server License Servers". This will enable the RDLS server to issue RDS per user CAL to the users.

Step 1: Now, open the server manager -> Add Roles and Features > Server Roles and select "Remote Desktop Services"  to start configuring the member server as RDLS
install Remote Desktop Services role

Step 2: Additionally, select the "Feature" "Remote Desktop Licensing Diagnoser" as part of installation as only the Remote Desktop Licensing Manager console is installed by default installation. You can do this by Features -> Remote Server Administration Tools -> Role Administration Tools -> Remote Desktop Services Tools -> Remote Desktop Licensing Diagnoser Tools
install Remote Desktop Licensing Diagnoser Tool

Step 2: Leave the "Features" to default and click Next. Select "Remote Desktop Licensing" as the role service. Proceed to Confirmation and 
Remote Desktop Services Licensing service
Hold until the role is installed

Configuration

Step 1: RDLS must be activated before it can start issuing licences to clients. To do so, open the Remote Desktop Licensing Manager from Tools on the server manager, right-click the name of your server and select Activate Server.
activa rds licensing server
The activation wizard will start. This is very much self explanatory where you need to specify the connection method and details about you and your organization. Click on Finish to complete the activation.
RDS license server automatic activation
rds license company info
rds license server has been successfully activated

If you want to review and verify the activation status of the server, you can do so by right-clicking the server name in the console and select Review Configuration
review rds activation info

Installing RDS CALs on the member server

Step1: After the purchase of license(s) by any available means, Right-click your server in Remote Desktop Licensing Manager and select Install Licenses.
installing rds CAL

Step 3: Select the activation method (automatic, online or by phone) and the license program (in this case, it is Enterprise Agreement).
rds cal - enterprise agreement

Step 4: Further steps of the wizard depends on the type of license program you have selected. In case of Enterprise Agreement, you must specify its number.
rds cal - agreement number

Step 5: Specify the product version (Windows Server 2019/2016), license type (RDS Per user CAL) and the number of licenses to be installed on the server.
select license type and number of RDS CALs

The server is now ready to issue client license(s).

Configuring GPO

To apply the settings domain wide while configuring RDSL parameters for RDSH session hosts via GPO, we need to create a new GPO and link it to the OU with RDS servers (or you can specify the name of the RDS licensing server using the local Group Policy editor – gpedit.msc). The RD licensing settings are located in the following GPO section: Computer Configuration -> Policies -> Admin Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing 

There are 2 RD policies that needs to configure. They are,

Use the specified Remote Desktop license servers – the address of the License Server is set;
Set the Remote Desktop licensing mode – select RDS CAL license type.
gpo - Use the specified Remote Desktop license servers

RDSH hosts use the following ports to get RDS license from the Licensing server, make sure that they are not blocked by firewalls (or Windows Defender Firewall):
TCP/135 – Microsoft RPC;
UDP/137 – Net-BIOS Datagram Service;
UDP/138 – Net-BIOS Name Resolution;
TCP/139 – Net-BIOS Session Service;
TCP/445 – SMB;
TCP/49152–65535 – RPC dynamic address range

Extras

Confused about the type of license? Here is the pictorial representation.
Picture courtesy: newegg



Labels:

Comments

  1. AnonymousNovember 11, 2022 at 1:43 PM

    When a 1xbet player feels the urge to play, it solely requires them a couple of of} seconds to arrange and launch the favorite stay dealer game. Regular gamers who visit brick-and-mortar casinos typically cite that the expertise and interaction at such institutions is their most engaging feature. A good and professionally competent dealer is a pleasant host whom gamers enjoy a glance at} and conversing with.

    ReplyDelete

Post a Comment

Popular posts from this blog

CloudWatch Agent Installation on Ubuntu Bionic

Installing and Configuring AWS CloudWatch agent on Ubuntu 18.04 LTS Using CloudWatch for EC2 instances get you a lot of insight before trying to use third party monitoring solutions. Since it is an integrated service, setting up and make it available is a breeze. Lets see how to do that step by step.
Post a Comment
Read more

Welcome Message on Linux Systems

 Bored of the default advertisement banners? Let us see how to change the welcome message on most linux systems. There are two ways the message is displayed 1. Before the password prompt 2. After the user is logged in Before, $ sudo nano /etc/issue.net After, $ sudo nano /etc/motd Simple Message for banner This system is for authorized use only. All activities are logged and checked at frequent intervals. Unauthorized individuals attempting to connect to, port-scan, deface, hack, or otherwise interfere with any services on this system will be reported. Now, This will change the banner and the new users would see it. But will disappear when you reboot the system on AWS, Azure and other cloud as the update script will reset it to default. To make the banner permanent, disable the script at /usr/sbin/update-motd by, $ sudo update-motd --disable Or, Open ssh config and enable banners $ sudo nano /etc/ssh/sshd_config Look for "Banner" and update as below #Banner /etc/issue.net Sa...
1 comment
Read more

AWS Security Best Practices

Security Best Practices Security is the key concern on the cloud. While most of the cloud providers do offer industry standard security features, it comes under the ownership of the customer (or in the hands of cloud devops engineers). So security breach is on you.....! Today, we are going to see how to leverage the security features provided by Amazon Web Services Cloud in terms of Infrastructure (the cloud itself) , EC2, VPC, RDS and Identity in general. Infrastructure IAM Usage Root account credentials and its Access and Secret Keys are like Credit Card numbers and can be used for any root level activities once compromised. Instead create and use IAM account with required privileges assigned. For multi-level privileged users with access to sensitive resources and programming interfaces, it is recommended to enable MFA It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenie...
1 comment
Read more