|
| 1 | +--- |
| 2 | +title: The system cannot determine if the license server is member of TSLS Group on AD DS |
| 3 | +description: Troubleshoot an error when you review the configuration of a Remote Desktop Services (RDS) license server. |
| 4 | +ms.date: 02/10/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika |
| 9 | +ms.custom: sap:Remote Desktop Services and Terminal Services\Licensing for Remote Desktop Services (Terminal Services), csstroubleshoot |
| 10 | +--- |
| 11 | +# The system cannot determine if the license server is member of TSLS Group on Active Directory Domain Services (AD DS) because the AD DS cannot be contacted |
| 12 | + |
| 13 | +This article helps troubleshoot an error when you review the configuration of a Remote Desktop Services (RDS) license server. |
| 14 | + |
| 15 | +You have a domain-joined server running the Remote Desktop license server role. When you review the configuration status from the Remote Desktop Licensing Manager console, you receive the following error message on the configuration window: |
| 16 | + |
| 17 | +> The system cannot determine if the license server is member of TSLS Group on Active Directory Domain Services (AD DS) because the AD DS cannot be contacted. |
| 18 | +
|
| 19 | +Here are some possible causes: |
| 20 | + |
| 21 | +- The Remote Desktop license server can't contact any domain controller in the network. |
| 22 | +- The Remote Desktop license server isn't a member of the Terminal Server License Servers (TSLS) domain group. |
| 23 | +- Security restrictions are enforced on domain controllers to restrict remote calls to Security Account Manager (SAM). |
| 24 | + |
| 25 | +Follow these steps to troubleshoot the error while verifying if the Remote Desktop license server is part of the TSLS domain group. |
| 26 | + |
| 27 | +## Step 1: Verify domain connectivity |
| 28 | + |
| 29 | +If the server is part of the TSLS domain group, verify that the license server can reach a valid domain controller in your domain. |
| 30 | + |
| 31 | +When domain connectivity is lost, you might notice other symptoms such as Group Policy update failures, logon failures, or a loss of trust relationship with the domain controller. |
| 32 | + |
| 33 | +If you notice these symptoms, work with your system administrator to resolve the connectivity issue. |
| 34 | + |
| 35 | +## Step 2: Check group membership |
| 36 | + |
| 37 | +Review the members of the **Terminal Server License Servers** group by using the following steps: |
| 38 | + |
| 39 | +1. On a domain controller, open the **Active Directory Users and Computers** console. |
| 40 | +2. Select the **Builtin** container, and then open the **Terminal Server License Servers** group in the right pane. |
| 41 | +3. Select **Members**, and then verify that the license server computer object is listed. |
| 42 | + |
| 43 | +## Step 3: Review security restrictions |
| 44 | + |
| 45 | +If you have confirmed that the connectivity is well established with a domain controller in your network, and the issue still persists, you might have security restrictions enforced on your domain controller. These restrictions control which users can enumerate users and groups in Active Directory (AD). |
| 46 | + |
| 47 | +In this case, you're encountering security restrictions that were introduced in Windows Server 2016 and subsequently added to all other Windows operating systems through an update. These restrictions limit the client's ability to make remote SAM calls to the local SAM database and Active Directory. |
| 48 | + |
| 49 | +For more information about this security settings, see the [Network access: Restrict clients allowed to make remote calls to SAM](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls) security policy setting. |
| 50 | + |
| 51 | +This policy, when enabled, affects the license server verification of its membership in the TSLS domain group, if the license server isn't part of the allowed users to make remote calls to AD. |
| 52 | + |
| 53 | +By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting isn't defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to SAM. |
| 54 | + |
| 55 | +If the policy setting is left blank after being defined, the policy isn't enforced. |
| 56 | + |
| 57 | +To verify if you're encountering these restrictions, check one of the following: |
| 58 | + |
| 59 | +- On the logon domain controller (DC) for the Remote Desktop License Server, check if the following registry key is present: |
| 60 | + |
| 61 | + `HKLM\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM` |
| 62 | + |
| 63 | + If this key is present, this means the DC is configured with the SAM restrictions policy. |
| 64 | +- Check if the following Group Policy Object is present and applied on the DC: |
| 65 | + |
| 66 | + **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Network access: Restrict clients allowed to make remote calls to SAM** |
| 67 | + |
| 68 | +> [!NOTE] |
| 69 | +> This behavior is expected when restricting SAM calls to the DC. However, it has no impact on the RDS Licensing functionality in terms of issuing client access licenses (CALs) and maintaining connectivity with its peers in the RDS farm. |
| 70 | +
|
| 71 | +To verify if the Remote Desktop license server is affected by this policy, see [related events](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#related-events) on the domain controller. |
| 72 | + |
| 73 | +To allow the Remote Desktop license server to make remote SAM calls to Active Directory, use Group Policy to add the Remote Desktop license server computer account to the list of allowed accounts under this policy: **Network access: Restrict clients allowed to make remote calls to SAM**. |
| 74 | + |
| 75 | +> [!NOTE] |
| 76 | +> Restarts aren't required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting, including audit only mode. Changes become effective without a device restart when they're saved locally or distributed through Group Policy. |
| 77 | +
|
| 78 | +## Contact Microsoft Support |
| 79 | + |
| 80 | +If the preceding steps can't resolve the issue, contact Microsoft Support for further assistance. |
0 commit comments