|
1 | 1 | --- |
2 | | -title: The system cannot determine if the license server is member of TSLS Group on AD DS |
| 2 | +title: System Cannot Determine If the License Server Is Member of TSLS Group on AD DS |
3 | 3 | description: Troubleshoot an error when you review the configuration of a Remote Desktop Services (RDS) license server. |
4 | | -ms.date: 02/10/2025 |
| 4 | +ms.date: 02/13/2025 |
5 | 5 | manager: dcscontentpm |
6 | 6 | audience: itpro |
7 | 7 | ms.topic: troubleshooting |
8 | 8 | ms.reviewer: kaushika, v-lianna |
9 | 9 | ms.custom: sap:Remote Desktop Services and Terminal Services\Licensing for Remote Desktop Services (Terminal Services), csstroubleshoot |
10 | 10 | --- |
11 | | -# The system cannot determine if the license server is member of TSLS Group on Active Directory Domain Services (AD DS) because the AD DS cannot be contacted |
| 11 | +# The system cannot determine if the license server is member of TSLS Group on Active Directory Domain Services (AD DS) |
12 | 12 |
|
13 | | -This article helps troubleshoot an error when you review the configuration of a Remote Desktop Services (RDS) license server. |
| 13 | +This article helps troubleshoot an error that occurs when you review the configuration of a Remote Desktop Services (RDS) license server. |
14 | 14 |
|
15 | | -You have a domain-joined server running the Remote Desktop license server role. When you review the configuration status from the Remote Desktop Licensing Manager console, you receive the following error message on the configuration window: |
| 15 | +You have a domain-joined server running the Remote Desktop license server role. When you review the configuration status from the Remote Desktop Licensing Manager console, you receive the following error message in the configuration window: |
16 | 16 |
|
17 | 17 | > The system cannot determine if the license server is member of TSLS Group on Active Directory Domain Services (AD DS) because the AD DS cannot be contacted. |
18 | 18 |
|
19 | 19 | Here are some possible causes: |
20 | 20 |
|
21 | | -- The Remote Desktop license server can't contact any domain controller in the network. |
| 21 | +- The Remote Desktop license server can't contact any domain controller (DC) in the network. |
22 | 22 | - The Remote Desktop license server isn't a member of the Terminal Server License Servers (TSLS) domain group. |
23 | | -- Security restrictions are enforced on domain controllers to restrict remote calls to Security Account Manager (SAM). |
| 23 | +- Security restrictions are enforced on DCs to restrict remote calls to the Security Account Manager (SAM). |
24 | 24 |
|
25 | 25 | Follow these steps to troubleshoot the error while verifying if the Remote Desktop license server is part of the TSLS domain group. |
26 | 26 |
|
27 | 27 | ## Step 1: Verify domain connectivity |
28 | 28 |
|
29 | | -If the server is part of the TSLS domain group, verify that the license server can reach a valid domain controller in your domain. |
| 29 | +If the server is part of the TSLS domain group, verify that the license server can reach a valid DC in your domain. |
30 | 30 |
|
31 | | -When domain connectivity is lost, you might notice other symptoms such as Group Policy update failures, logon failures, or a loss of trust relationship with the domain controller. |
| 31 | +When domain connectivity is lost, you might notice other symptoms, such as Group Policy update failures, logon failures, or a loss of trust relationship with the DC. |
32 | 32 |
|
33 | 33 | If you notice these symptoms, work with your system administrator to resolve the connectivity issue. |
34 | 34 |
|
35 | 35 | ## Step 2: Check group membership |
36 | 36 |
|
37 | 37 | Review the members of the **Terminal Server License Servers** group by using the following steps: |
38 | 38 |
|
39 | | -1. On a domain controller, open the **Active Directory Users and Computers** console. |
| 39 | +1. On a DC, open the **Active Directory Users and Computers** console. |
40 | 40 | 2. Select the **Builtin** container, and then open the **Terminal Server License Servers** group in the right pane. |
41 | 41 | 3. Select **Members**, and then verify that the license server computer object is listed. |
42 | 42 |
|
43 | 43 | ## Step 3: Review security restrictions |
44 | 44 |
|
45 | | -If you have confirmed that the connectivity is well established with a domain controller in your network, and the issue still persists, you might have security restrictions enforced on your domain controller. These restrictions control which users can enumerate users and groups in Active Directory (AD). |
| 45 | +If you have confirmed that the connectivity is well established with a DC in your network and the issue persists, you might have security restrictions enforced on your DC. These restrictions control which users can enumerate users and groups in Active Directory (AD). |
46 | 46 |
|
47 | | -In this case, you're encountering security restrictions that were introduced in Windows Server 2016 and later added to all other Windows operating systems through an update. These restrictions limit the client's ability to make remote SAM calls to the local SAM database and Active Directory. |
| 47 | +In this case, you're encountering security restrictions that were introduced in Windows Server 2016 and later added to all other Windows operating systems through an update. These restrictions limit the client's ability to make remote SAM calls to the local SAM database and AD. |
48 | 48 |
|
49 | 49 | For more information about this security setting, see the [Network access: Restrict clients allowed to make remote calls to SAM](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls) security policy setting. |
50 | 50 |
|
51 | | -This policy, when enabled, affects the license server verification of its membership in the TSLS domain group, if the license server isn't part of the allowed users to make remote calls to AD. |
| 51 | +This policy, when enabled, affects the verification of the license server's membership in the TSLS domain group if the license server isn't among the users allowed to make remote calls to AD. |
52 | 52 |
|
53 | 53 | By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting isn't defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to SAM. |
54 | 54 |
|
55 | 55 | If the policy setting is left blank after being defined, the policy isn't enforced. |
56 | 56 |
|
57 | 57 | To verify if you're encountering these restrictions, check one of the following points: |
58 | 58 |
|
59 | | -- On the logon domain controller (DC) for the Remote Desktop License Server, check if the following registry key is present: |
| 59 | +- On the logon DC for the Remote Desktop license server, check if the following registry key is present: |
60 | 60 |
|
61 | 61 | `HKLM\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM` |
62 | 62 |
|
63 | | - If this key is present, which means the DC is configured with the SAM restrictions policy. |
| 63 | + If this key is present, it means the DC is configured with the SAM restriction policy. |
64 | 64 |
|
65 | | -- Check if the following Group Policy Object is present and applied on the DC: |
| 65 | +- Check if the following Group Policy Object is present and applied to the DC: |
66 | 66 |
|
67 | 67 | **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Network access: Restrict clients allowed to make remote calls to SAM** |
68 | 68 |
|
69 | 69 | > [!NOTE] |
70 | | -> This behavior is expected when restricting SAM calls to the DC. However, it has no effect on the RDS Licensing functionality in terms of issuing client access licenses (CALs) and maintaining connectivity with its peers in the RDS farm. |
| 70 | +> This behavior is expected when SAM calls are restricted to the DC. However, it doesn't affect the RDS Licensing functionality in terms of issuing client access licenses (CALs) and maintaining connectivity with its peers in the RDS farm. |
71 | 71 |
|
72 | | -To verify if the Remote Desktop license server is affected by this policy, see [related events](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#related-events) on the domain controller. |
| 72 | +To verify if the Remote Desktop license server is affected by this policy, see the [related events](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#related-events) on the DC. |
73 | 73 |
|
74 | | -To allow the Remote Desktop license server to make remote SAM calls to Active Directory, use Group Policy to add the Remote Desktop license server computer account to the list of allowed accounts under this policy: **Network access: Restrict clients allowed to make remote calls to SAM**. |
| 74 | +To allow the Remote Desktop license server to make remote SAM calls to AD, use Group Policy to add the Remote Desktop license server computer account to the list of allowed accounts under this policy: **Network access: Restrict clients allowed to make remote calls to SAM**. |
75 | 75 |
|
76 | 76 | > [!NOTE] |
77 | | -> Restarts aren't required to enable, disable, or modify the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting, including audit only mode. Changes become effective without a device restart when they're saved locally or distributed through Group Policy. |
| 77 | +> Restarts aren't required to enable, disable, or modify the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting, including audit-only mode. Changes become effective without a device restart when they're saved locally or distributed through Group Policy. |
78 | 78 |
|
79 | 79 | ## Contact Microsoft Support |
80 | 80 |
|
|
0 commit comments