是否 Windows 2012 R2 workgroup 的 RDS 架構,無法採購 RDS user CAL,僅能購買 RDS device CAL?
問題描述:
Windows 2012 R2 workgroup 的環境下,RDS user CAL 無法持續正常運作,約 120 天後,用戶端會無法連線並出現以下錯誤訊息:
請問是否 Windows 2012 R2 workgroup 的 RDS 架構,無法採購 RDS user CAL,僅能購買 RDS device CAL?
解決方法:
解答: 是的,沒有加入網域的Windows 2012 R2 workgroup單機版主機,僅能夠購買Per Device CAL裝置授權才能支援RDS遠端服務架構。
(1) 依據RDS遠端桌面服務的架構設計,需要搭配AD網域來進行使用者遠端存取的管制。如果該主機加入網域之後,才能夠使用Per User CAL使用者授權去管制遠端登入存取的行為。
(2) 因為Windows Server單機版預設就已經強制啟用Per Device CAL裝置授權計算,在緩衝期120天內是不需要註冊CAL也能夠遠端登入RDSH主機,過了這段緩衝期間只能夠購買Per Device CAL裝置授權,才能夠控管不限人數的使用者遠端登入存取該主機。
Per Device vs. Per User
Let’s start with some basics. RD Licensing is primarily deployed in one of two flavours; Per Device or Per User. Per Device is used to allocate a Client Access License (CAL) to each client device accessing an RD deployment, including VDI infrastructure. Per User licensing is used to allocate a CAL to each user connecting to an RD deployment (where an Active Directory infrastructure exists). A single RDSH can only accommodate one mode of licensing at a time.
One of the first and most significant decisions an IT admin is faced with when setting up a Remote Desktop infrastructure is which mode they should use. Keeping things simple; licenses cost money, so choosing the model that has the least financial impact will often answer this question for you. I.e. which is less; the number of users connecting to an RD deployment or the number of client devices? This becomes particularly relevant in situations where one user may log onto multiple client machines, or multiple users share a single client device for example.
That said, there are a number of distinctions between these two licensing modes that may also play a part in this decision process that System Administrators should also be aware of:
Per Device |
Per User |
CALs are physically assigned to each client device, marked within the registry |
CALs are assigned to a user’s properties within Active Directory (where a Server 2008 AD infrastructure exists) |
CALs are tracked and enforced |
CALs can be tracked but not strictly enforced. |
CALs can be tracked regardless of AD membership |
CALs cannot be tracked within a workgroup |
Up to 20% of CALs can be revoked on demand |
CALs cannot be revoked |
Temporary CALs assigned on first logon are valid for 90 days |
Temporary CALs are not assigned |
Full CALs remain valid for 52-89 days at random |
CALs are valid for 60 days before renewal |
CALs cannot be over allocated |
CALs can be over allocated (in breach of the End User License Agreement) |
An offline License Server issuing Per Device CALs can (under specific conditions) prevent users logging into an RD deployment |
An offline License Server issuing Per User CALs will not prevent users from logging on |
Notice the last entry in the above table; this is often overlooked within large mission critical production environments with only one active License Server, presenting itself as a single point of failure (addressed later).
One of the biggest differences between Per Device and Per User licensing lies around tracking and enforcement. Whilst both modes can be tracked to provide CAL reporting, only Per Device is strictly enforced. This is to say that even if a Per User CAL isn’t available, a user won’t be prevented from connecting and you will see an error reported within Event Viewer (typically Event ID 21). Be aware however that running in Per User mode with more connections than installed CALs is in breach of the End User License Agreement (EULA), to which all customers are legally bound.
A feature often overlooked within RD Licensing is the ability to revoke on demand up to 20% of your Per Device CALs within RD Licensing Manager. This can be useful if a full CAL has been assigned to a device that has since been decommissioned, and you want to reallocate this to a new client prior to the 52-89 day automatic expiry. Where Per User licensing is not strictly enforced, this functionality is only available for Per Device CALs.
Grace periods
Once the RD License Server role is installed, administrators have 120 days to activate the license server with the Clearing House. During this time, users can connect to RDSH servers without any CALs being assigned. Contrary to popular belief, the RDSH servers themselves do not have any grace period; only the RD License Servers. Furthermore; if using Per Device mode, only after a second successful logon will a full CAL actually be assigned (preventing DoS attacks).
Temporary CALs that are initially assigned from an unlimited pool are valid for 90 days (per Device only). As such – it is possible for users to legally connect to an RDSH server without any CAL for up to a maximum of 210 days after the RD Licensing role has been installed.
Troubleshooting tips
RD Licensing has historically proven a pain point for many customers, and yet whilst the deprecation of CAL forwarding has simplified things greatly, having a deeper understanding of the mechanics at work is never a bad thing. Usually a license server outage may not have an appreciable impact on end users (especially if Per User); but there are certain situations that may lead to denied connections; specifically when using Per Device CALs that require renewal or upgrade.
If an RD Licensing Server issuing Per Device CALs does go down and there is no immediate backup; the quickest way to prevent any denied connections is to temporarily switch the licensing mode on each RDSH server to Per User. As this mode of licensing is not strictly enforced, users will never be denied a connection. Whilst this restricts administrators from accurate CAL tracking, it may provide some needed breathing space to address the underlying issue. The administrator needs to ensure that there are enough CALs installed to cover all users connecting into the environment in order to be in compliance with the EULA.
For issues with Per Device CAL distribution when the RD License Servers are online and operational, the most efficient course of action will normally be to delete the MSLicensing registry entry (after backing up) from any affected client devices, which is located under HKLM\SOFTWARE\Microsoft\MSLicensing. Two successful subsequent logons to an RDSH server should recreate and populate this hive on the client device with a new CAL; which can be verified within RD Licensing Manager.
參考文件:
Remote Desktop Licensing Demystified
針對Windows Server 2012 Workgroup 單機版,在該主機使用RDS Licensing服務僅能夠啟用Per Device CAL的授權限制,在Workgroup單機模式並不支援Per User CAL的授權,請您參考以下微軟論壇與知識庫的說明。
參考文件:
RDS Licenses – Why 0 available?
Managing server 2012 RDS in a workgroup
參考文件:
Best practices for setting up Remote Desktop Licensing (Terminal Server Licensing) across Active Directory Domains/Forests or Workgroup
RD Licensing Configuration on Windows Server 2012
近期迴響