Link to home
Start Free TrialLog in
Avatar of John Atkinson
John AtkinsonFlag for United States of America

asked on

What Client Access License supports RDS sessions for using local accounts on Server 2019?

A client is using a  new Win2019 server set up in AWS Lightsail.  It's only a few months old.  They use it as a file server serving local Windows users that log in to the server via Remote Desktop.  All is working well.  


Looks like we're quickly approaching the end of a grace period we've been enjoying, and we need to purchase and install user licenses.  We see a notification announcing "Remote Desktop licensing mode is not configured.  Remote Desktop Services will stop working in 23 days (which is 3 days from today).  On the RD Connection Broker server, use Server Manager to specify the Remote Desktop..." (don't have the rest of the message.


I think the kind of license I need is User CALs.  (Certainly not Device CALs.)  However, when I read up on User CALs, it looks like that license applies to Active Directory users.  We're not using Active Directory.  All our users work in local accounts on the server.


What kind of licensing do I need to find, buy, and somehow install in order to preserve this local-user account setup going?  


Can you point me towards a discussion that applies to my situation specifically?  Thanks, all.


Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

RD Multi-Session Server doesn't exist anymore so RDS requires Active Directory in order to function as mentioned by David.

User CALs: Best for where one user one machine
Device CALs: Best for shift work where two or three users one machine
You need to purchase both Windows User CALs and RDS User CALs.
Avatar of John Atkinson

ASKER

Gentlemen, thanks for your insights.

If RDS requires AD, can you help me understand why or how the current setup, without AD, is working?  Also, will the local user accounts still be reachable, if I add AD users and license them?






Your current setup uses temporary device CALs.
There's no adding AD in the sense of dropping it in.

Network Policy Server will be set up on the Broker/Gateway/Web server that needs to be integrated with ADDS.

We usually put the licensing role on the same server. Once set up and the model is chosen one inputs the CALs code and acknowledges and sets the license server up in AD.

This would be a ground up setting up of RDS though the Session Host may be able to be added to the new collection without the need to set it back up.
To summarize, my current environment features local server user accounts logging into the AWS server after reaching it via Remote Desktop.

I checked the article David Johnson recommended, and discovered that it describes exactly how the server is set up now.  I just want that to continue after we pass the grace period this week.

Kevinhsieh taught me that I'm operating under temporary device CALs now.  I'm now wondering if the simplest way forward is to abandon the idea of using User CALs, and just buy Device CALs.  Our users are already using temporary device CALs, so that seems the most friction-free way to continue.  Can you confirm?

Also, Kevinhsieh mentioned that I'd need RDS CALs along with User CALs.  If I go with Device CALs, do I still need to find, buy, and install RDS CALs?  (I've seen both User and Device CALs for sale, but I've yet to see an RDS CAL for sale.)  Can you comment on the relationship among these apparently three types of CALs?
you need both, don't confuse server cals with rdp cals. Server CAL's are paper CALS the only enforcement is if you get audited. Your purchase receipt is your proof of license

A Windows Server CAL is a license that allows user or device to access Windows Server. CALs are used to allow Users and/or Devices to access and utilize the services of that server OS.
https://www.microsoft.com/en-us/licensing/product-licensing/client-access-license

and RDS Cals
https://www.microsoft.com/en-us/p/windows-server-remote-desktop-services-cal/dg7gmgf0dvsv?activetab=pivot%3aoverviewtab
OK.
I'm grateful for your comments, David.  I am really trying to understand, but it's challenging to reconcile the advice, the terms, and the recommended articles.  

You use the terms "server cal", "rdp cals", and "RDS CALs".  The link for RDS CALs links me to a page where I can purchase RDS CALs of either the User or Device variety.  You say I need both server and RDP CALs.
  1. are rdp cals and RDS Cals the same thing?
  2. are server cals something different that I need to buy?  If so, how does one purchase those?
rdp == rds remote desktop protocol ve remote desktop services.
are server cals something different that I need to buy?  If so, how does one purchase those?
Yes people tend to forget this.
one source: https://www.cdw.ca/product/microsoft-windows-server-2019-license-5-user-cals/5434030

Servers require user or device cals for access server services.  remote desktop requires additional Client Licenses (per user or per device) If you want to use a mix (RDS ONLY scenario) then you require 2 license servers as each license server needs its licensing mode defined. This would mean 2 different remote desktop session host servers / license servers.
That or every month you have to reconcile your license usage. and only use per user CALS  Per USER CAL's are not enforced but per device are.
See this article https://social.technet.microsoft.com/Forums/windowsserver/en-US/2ce9f814-822c-436b-bd12-80e1ec74c27b/combine-both-per-device-and-per-user-rds-cals-on-the-same-remote-desktop-session-host?forum=winserverTS
Accessing a Windows Server has always required CALs. Since at least Windows 2000, there have been User and Device CALs. Either is acceptable. User device CALs cost more, but cover every device the particular human uses. Device CALs cover just the specific device.

RDP and RDS are generally interchangeable terms. Microsoft renamed to RDS in 2012, I believe. Many people still call RDS "terminal server". Use of Remote Desktop requires an RDS CAL in ADDITION to Server CAL.

You need both Windows Server and RDS CALs.

CALs are available through the same channels as Microsoft OS licenses.

Yes, per device RDS CALs is the simplest path forward as it requires the least amount of changes to the environment.
So, I need a Windows Server CAL, but it's not a digital thing that requires installation, correct?  

Also, does the term RDS CAL refer to either a User CAL or a Device CAL, or is there a difference?

So, I need a Windows Server CAL, but it's not a digital thing that requires installation, correct?  
Correct

Also, does the term RDS CAL refer to either a User CAL or a Device CAL, or is there a difference?

All CALS come in 2 versions, user OR device .. a Remote Desktop Session Host only supports 1 type of CAL.

create an AD Domain and most of your pain points will go away. sticking with a workgroup means fighting the system for no real advantage.
Thanks, David.  Here's my concern about creating an AD domain:

We have 4 or 5 local user accounts set up already on this server and they're actively in use, during the work day.  I'm trying to accomplish this "licensing up" exercise without disrupting these busy users.  (They're not logged in all the time, but they do log in and work for hours every day.)  

I've read that, when you install the Active Directory server role, then that computer becomes a Domain Controller.  I've also read that Domain Controllers do not have local user accounts.  So, I'm afraid that if I set up Active Directory, my existing users' accounts will disappear, which would violate my need not to disrupt them.  Do I have this right?
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ForensiT's Profile Migration Wizard would automate the transition from workgroup to domain by migrating all of the user's profiles into the new domain setting. It can be automated so that the only impact is a longer log on time.

EDIT: The RDS server would _not_ be the domain controller. It would need to be separate. In a Hyper-V or VMware setting the Windows Server Standard license allows for two VMs to be installed as guests. That's how to go about it.
Philip, after checking the contents of the local user profiles, I see that the users aren't saving much locally, so I've moved on from trying to carefully preserve their profiles.  I'll just make new ones and restore 10 files per user from backup.

I'm massively confused by your comment that the RDS server would not be on the domain controller.  I don't have the luxury of multiple server instances.  I have just the one, to do everything.  

The server already has the RD Licensing and RD Session Host roles installed.  I don't know whether AWS spun up the instance configured like that, or we had to add it to enable RD.  

My current plan is
  1. add the ADDS role
  2. promote to DC, which I believe will destroy the local user accounts
  3. login as domain admin
  4. create my domain users
  5. purchase User CALs
  6. activate the RD Licensing using the CALs
  7. test RD connecting and logging in as domain users
  8. restore a few files from the backup of the pre-ADDS server
  9. take note that everything looks just beautiful now
  10. pray that the expiring grace period doesn't take my users down entirely
  11. rediscover sleep -- I hear it's nice...

Am I cleaving anywhere close to proper?  I welcome any and all actionable comments, and any other kind, too.
There is no way to set a DC up as an RD Session Host. Period.