The terminal server cannot locate the license server

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The process of locating a license server is called license server discovery. If you open Terminal Server Licensing and are prompted for the name of the license server, license server discovery is not working.

Solution

  1. Review configuration requirements and considerations for implementing Terminal Server Licensing in different environments.

  2. Verify that the client, the terminal server, and the license server can communicate.

  3. Set a preferred license server.

  4. Attempt again to verify whether the terminal server can discover the license server.

If the terminal server still cannot discover the license server, then perform the following steps.

  1. Verify RDP-tcp connection settings.

  2. Verify the license server role.

  3. Verify that the Remote Registry service is started on the license server and that the startup type is set to Automatic.

  4. Verify permissions on the Domain Controllers organizational unit.

  5. Verify the value of the RestrictAnonymous registry key.

  6. Verify that the administrative shares are shared on the license server.

  7. Verify that File and Printer Sharing is bound to the network adapter and that the internal network adapter is at the top of the binding order.

  8. Verify that the Terminal Server Licensing service is started on the license server and that the startup type is set to Automatic.

  9. Verify that Terminal Server Licensing is correctly installed on the license server.

  10. Verify that the license server is activated.

  11. Remove the MSLicensing registry key on the client and verify permissions on the rebuilt key.

Review Configuration Requirements and Considerations for Implementing Terminal Server Licensing in Different Environments

To ensure that license server discovery works as expected, you must configure the terminal servers and license servers correctly. Keep in mind that configuration requirements vary by environment. For information about environment-specific configuration requirements and considerations, see Understanding Troubleshooting Considerations for Specific Terminal Server Licensing Environments.

Verify that the Client, the Terminal Server, and the License Server Can Communicate

If the terminal server and license server are installed on separate computers, ensure that there is no firewall on both servers or between them that blocks necessary ports. Terminal Server Licensing uses Remote Procedure Call (RPC) over port 135, and a dynamically assigned port above 1024. To enhance security, you can control which ports RPC is using so that your firewall router can be configured to forward traffic only to these Transmission Control Protocol (TCP) ports. For information, see How to configure RPC dynamic port allocation to work with firewalls (https://go.microsoft.com/fwlink/?LinkId=48218) on the Microsoft Web site.

Additionally, to ensure that clients can establish remote connections to terminal servers, verify that TCP port 3389 is open and listening on the terminal server and on the client. To do this, you can use commands such as Telnet (https://go.microsoft.com/fwlink/?LinkID=48891), Netstat (https://go.microsoft.com/fwlink/?LinkID=48892), or Portqry.

To verify that the client, the terminal server, and the license server can communicate

  1. At the command prompt, run the ping command from each computer to each computer by using:

    • Fully qualified domain name (for example, Server1.contoso.com)

    • NetBIOS name (Server1)

    • The IP address (for example, 206.73.118.1)

  2. If any of the ping commands fails, verify the DNS configuration on the network.

Set a Preferred Licensing Server

By default, terminal servers communicate with license servers in the same domain. This behavior might force them to use wide area network (WAN) connections to find a license server, even if there is a license server from another domain located within the same site. By explicitly specifying a license server, you enable the crossing of domains for license tracking and accounting purposes. For information about how to do this, see Set a preferred license server.

Verify Whether the Terminal Server Can Discover the License Server

To verify whether the terminal server can discover the license server, you can use Terminal Server Licensing, as described in the following procedures.

Using Terminal Server Licensing (on Windows Server 2003)

Using Terminal Server Licensing (on Windows 2000)

Using Terminal Server Licensing (on Windows Server 2003)

To connect to a license server, a terminal server must have the Access this computer from the network logon right for the target license server. Additionally, if the License Server Security Group setting in Group Policy is enabled, the terminal server computer account must be a member of this group. Enabling this Group Policy setting and applying it to your license server creates a local group called Terminal Server Computers. The license server issues licenses only to the terminal servers in this group. You must add the terminal servers for which you need to provide licenses to this group for each license server.

To verify whether the terminal server can discover the license server (on Windows Server 2003)

  1. Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.

    When Terminal Server Licensing opens, it discovers all license servers in your workgroup or domain (and searches Active Directory for Enterprise License Servers) and it displays the names of those servers in the console tree. If no license servers are automatically displayed in the console tree, you are prompted to specify the name of a server as noted in the following steps.

  2. On the Action menu, click Connect.

  3. In Server, type the name of the license server to which you want to connect, and then click OK.

Using Terminal Server Licensing (on Windows 2000)

In addition to supporting clients that run Windows Server 2003, Windows 2000, and Windows XP Professional, Windows 2000 Terminal Server supports clients running the following platforms: Windows XP Home Edition, Windows XP Embedded Edition, Windows Millennium Edition, Windows 98, Windows 95, Windows NT 4.0, Windows-based Terminal devices, and Macintosh. These clients must have Terminal Server CALs available to connect to a Windows 2000 terminal server.

If you have clients running Windows 2000 or Windows XP Professional, the license server issues a "free" Terminal Services CAL from its built-in pool to enable these clients to access the Windows 2000 terminal server. The use of this license is permitted under the Windows 2000 Server EULA. To issue these licenses, however, the license server must first be activated.

For Windows Server 2003 terminal servers, there is no built-in pool of free licenses. You must install the appropriate number of CALs on the license server to enable all clients to connect to these terminal servers.

To verify whether the terminal server can discover the license server (on Windows 2000)

  1. Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, point to Programs, point to Administrative Tools, and then click Terminal Services Licensing.

  2. Navigate to All Servers, and then click the name of the terminal server to which you want to connect.

    A list of installed CALs appears in the details pane. Verify that Windows 2000 Terminal Services Client Access License appears in the list.

  3. If it does not appear, purchase and install the appropriate number of CALs to support your clients.

Verify RDP-tcp Connection Settings

Use Group Policy or Terminal Services Configuration to verify that RDP-tcp connection settings are configured as follows:

  • The RDP-tcp connection is enabled.

  • The Maximum connections setting on the Network Adapter tab of the RDP-tcp Properties dialog box is set to Unlimited.

  • Verify whether the level encryption being used for the RDP-TCP connection is set to High. If the encryption level is set to High, keep in mind that this level encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Clients that do not support this level of encryption cannot connect to a terminal server.

  • Verify that the user attempting to log on to the terminal server over the RDP-tcp connection has the appropriate rights and permissions. Users must either be members of the Remote Desktop Users group, or you must assign the equivalent rights and permissions manually (users must have the Allow log on through Terminal Services (https://go.microsoft.com/fwlink/?LinkID=48894) right and User Access permissions). For more information, see Enabling users to connect remotely to the server (https://go.microsoft.com/fwlink/?LinkID=48887). If users are running the Citrix ICA client, they must have the appropriate permissions for the ICA-TCP connection.

For instructions on how to verify and modify RDP-tcp connection settings, see Configure Terminal Services Connections (https://go.microsoft.com/fwlink/?LinkId=48219).

Verify the License Server Role

Caution   Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To To verify the license server role

  1. On the license server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. Locate, and then click, the following key in the registry:

    HKLM\System\CurrentControlSet\Services\TermServLicensing\Parameters\Role

    Where

    0 = Domain license server

    1 = Enterprise license server

Verify that the Remote Registry Service is Started on the License Server and that the Startup Type is Set to Automatic

  • You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.

If you enable or disable a service and you encounter a problem starting the computer, you might be able to start the computer in Safe Mode. Then you can change the service configuration or restore the default configuration.

Important   If you stop, start, or restart a service, any dependent services are also affected.

To verify that the Remote Registry service is enabled on the license server and that the startup type is set to Automatic

  1. On the license server, open Services. To open Services, click Start, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Services.

  2. In the list of services, right-click Remote Registry, and then click Properties.

  3. On the General tab, verify that the service status is Started and that the startup type is Automatic.

  4. If the status is not Started, click Start to start the service. If the startup type is not Automatic, click Automatic to ensure that the service will restart when the license server is restarted.

Verify Permissions on the Domain Controllers OU

For license server discovery to work in a Windows Server 2003 domain with Windows 2000 terminal servers and Windows 2000 license servers, the following permissions must exist on the Domain Controllers OU.

  • System = Full Control

  • Authenticated Users = Read

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as (https://go.microsoft.com/fwlink/?LinkID=48886) to perform this procedure.

To verify permissions on the Domain Controllers OU

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. On the View menu, select Advanced Features.

  3. Right-click the Domain Controllers OU, and then click Properties.

  4. On the Security tab, click Advanced to view the permission entries that exist for the object.

  5. In the list, click Authenticated Users.

  6. In the Permissions box, make sure that the Allow check box is selected for Read.

  7. In the list, click System.

  8. In the Permissions box, make sure that the Allow check box is selected for Full Control.

Verify the Value of the RestrictAnonymous Registry Key

If you are using Windows 2000 servers, verify that the RestrictAnonymous registry key value on the license server is set to0or 1. In this scenario, if this registry key value is set to2, then the license server cannot issue CALS. When theRestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to resources that grant permissions to the Everyone group.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To verify the value of the RestrictAnonymous registry key

  1. On the license server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. Locate, and then click, the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous

  3. Verify the value of the RestrictAnonymousregistry key.

    The three valid registry key values for RestrictAnonymous are equivalent to the following security settings in Local Security Policy:

    0 = None (rely on default permissions)

    1 = Do not allow enumeration of SAM accounts and shares

    2 = No access without explicit anonymous permissions

    If the license server is a member of an Active Directory domain and a conflicting security setting is configured for the license server in Group Policy, the Group Policy setting overrides the local security setting.

  4. If the value of the registry key is set to 2, then set it to 1 or 0.

    Also, verify that the equivalent value (No access without explicit anonymous permissions) is not enabled by Group Policy. To do this, open Local Security Policy, navigate to Security Settings\Local Policies\Security Options\Additional restrictions for anonymous connections, and then verify whether No access without explicit anonymous permissions is enabled. If it is, disable it. To open Local Security Policy, click Start, point to Settings, Control Panel, click Administrative Tools, and then click Local Security Policy.

  5. Restart the server.

    In Windows Server 2003, if you need to prohibit anonymous users from being granted the same access that is granted to members of the Everyone group, use the new Everyone Network access: Let Everyone permissions apply to anonymous users setting in Local Security Policies.

Verify that the Administrative Shares are Shared on the License Server

To verify that the administrative shares are shared on the license server

  1. At the command prompt, type net share, and then press ENTER.

  2. Verify that the default shares, such as C$, Admin$, and IPC$, are returned.

    If you perform this procedure and the default administrative shares are not returned, verify that the Server service is started, that File and Print Sharing is enabled, and that the license server does not have a virus. Also, see HOW TO: Restore Administrative Shares That Have Been Deleted (https://go.microsoft.com/fwlink/?LinkId=48223) on the Microsoft Web site.

Verify that File and Printer Sharing is Bound to the Network Adapter and that the Internal Network Adapter is at the Top of the Binding Order

To verify that File and Printer Sharing is bound to the internal network adapter and that the internal network adapter is at the top of the binding order

  1. Open Network and Dial-up Connections. To open Network and Dial-up Connections, click Start, point to Settings, and then click Network and Dial-up Connections.

  2. Click the connection that you want to verify, and on the Advancedmenu, click Advanced Settings.

  3. On the Adapters and Bindings tab, in Bindings for AdapterName, verify that the File and Printer Sharing check box is selected. If the check box is not selected, select it.

    To modify the protocol bindings order, you must be logged on as a member of the Administrators group.

  4. Also in Bindings for AdapterName, verify that the internal adapter is at the top of the list. If it is not at the top of the list, click the up and down arrows to move the internal adapter to the top of the list.

Verify that the Terminal Server Licensing Service is Started and that the Startup Type is Set to Automatic

For step-by-step instructions, see Verify that the Terminal Server Licensing service is started and the startup type is set to Automatic.

Verify that Terminal Server Licensing is Correctly Installed on the License Server

For step-by-step instructions, see Verify that Terminal Server Licensing is correctly installed on the license server.

Verify that the License Server is Activated

A license server that has been installed but not activated only issues temporary licenses. These temporary licenses allow clients to connect to the terminal server for 90 days.

To verify that a license server is activated

  1. Open Terminal Server Licensing.

  2. In the console tree, click the license server for which you want to verify the activation status.

  3. In the details pane, verify that activation status is Activated.

  4. If the status is Not Activated, right-click the server name, click Activate Server, and then follow the instructions in the wizard.

Remove the MSLicensing Registry Key on the Client and Verify Permissions on the Rebuilt Key

If all of the previous troubleshooting procedures fail, create a backup of the MSLicensingregistry key and its subkeys on the client, and then remove the original key and subkeys.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To remove the MSLicensing registry key on the client and verify permissions on the rebuilt key

  1. On the client, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. Locate, and then click, the following key in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing

  3. On the Registry menu, click Export Registry File.

  4. In the File name box, type mslicensingbackup, and then click Save.

  5. If you need to restore this registry key in the future, double-click mslicensingbackup.reg.

  6. On the Edit menu, click Delete, and then click Yes to confirm the deletion of the MSLicensingregistry subkey.

  7. Close Registry Editor, and then restart the computer (when the client is restarted, the missing registry key is rebuilt).

  8. On the client, open Registry Editor.

  9. Locate, and then click, the following key in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing

  10. On the Edit menu, click Permissions. Users must have at least Read permissions.