Citrix XenApp 6.5 Expert Cookbook

To install the RD Licensing Role Service you need to install and set up a new Windows Server 2008 R2 server or add the Windows Role Service to an existing server.

To build an unattended installation for the RD License Server, you can use the servermanagercmd.exe command to add the Windows Role Service to the server.

To add the RD License Server service to a Windows server, follow this step:

When you run the servermanagercmd.exe command, the following message is shown:

Servermanagercmd is deprecated and not guaranteed to be supported in future releases of Windows. We recommend that you use the Windows PowerShell cmdlets that are available for Server Manager.

Even though it might no longer be supported in future releases, it still works with Windows Server 2008 R2 to create an unattended installation to add Windows features, roles, or services to Windows Server 2008 R2. You can run the servermanagercmd.exe command with various parameters.

To check the installed roles and features on a Windows Server 2008 R2 server, you can use the following command line:

servermanagercmd -query [<query.xml>] [-logPath <log.txt>]

Windows Server 2008 R2 uses the following parameters:

When you want to change the installed roles and features on a Windows Server 2008 R2 server, you can add the following parameters to the servermanagercmd command:

servermanagercmd [-install|-remove] <Id> [-allSubFeatures]
[-resultPath <result.xml>] [-restart] [-whatIf] [-logPath <log.txt>]

This command uses the following parameters:

You can read more about servermanagercmd.exe on Microsoft TechNet: http://technet.microsoft.com/en-us/library/ee344834(v=ws.10).aspx.

If you are not comfortable using a deprecated command or if you want to use a method that will be supported in future Windows server releases, you can also use Windows PowerShell to install the required Windows Server 2008 R2 roles and features. Windows PowerShell 2.0 is installed by default on the server. The following PowerShell commands will install the RD Licensing Role Service on the server:

Import-Module ServerManager
Add-WindowsFeature –Name RDS-Licensing –LogPath <log.txt> -Restart

You can read more about the Add-WindowsFeature PowerShell cmdlet on Microsoft TechNet: http://technet.microsoft.com/en-us/library/ee662309.aspx.

In order to configure the RD Licensing Role Service, you need to have the RD License Server installed. You can use the unattended installation directions in the previous recipe for installing the RD License Server.

To run the provided PowerShell commands, the default execution mode for PowerShell scripting needs to be changed so that the commands can be run on the server. You can change the PowerShell execution mode from Restricted to RemoteSigned with the following PowerShell command:

Set-ExecutionPolicy RemoteSigned -Force

To configure the RD License Server through command-line tools and/or scripts and build an unattended configuration script, follow these steps:

When you import the Remote Desktop Services module in Windows PowerShell, the Remote Desktop Services (RDS) provider is also included. This provider enables you to configure RDS settings through Windows PowerShell by allowing you to change the RD License Server and RD Session Host server settings with default PowerShell cmdlets, such as Get-Item, Set-Item, New-Item, and Get-ChildItem.

To use the RDS provider, you simply need to change your location to the RDS drive by using the following Set-Location cmdlet:

Set-Location RDS:

To view the current configuration of the RD License Server, use the following Get-ChildItem cmdlet:

Get-ChildItem .\LicenseServer\Configuration

With the Set-Item cmdlet, you can change a setting by specifying the location of the configuration item and the new value that has to be set, as shown in the following command line:

Set-Item -Path RDS:\LicenseServer\Configuration\<ConfigItem> -Value <ConfigItemValue>

The Set-Item cmdlet uses the following parameters:

Activating your RD License Server is also done with the following Set-Item cmdlet:

Set-Item –Path RDS:\LicenseServer\ActivationStatus -Value <Status> -ConnectionMethod <ConnectionMethod> -Reason <Reason>

The Set-Item cmdlet uses the following parameters:

As mentioned in the How to do it... section, you can use the Set-Item cmdlet to install the purchased RDS CAL packs. The required parameters for the cmdlet depend upon the used license type and agreement with Microsoft. When you are uncertain about the parameters you will need to provide, use the following Get-Help cmdlet to find the required parameters and corresponding values:

Get-Help New-Item -Path RDS:\LicenseServer\LicenseKeyPacks -Detailed

The next two examples show you how the required parameters change depending on your license type.

An example of the required parameters for an open license:

New-Item -Path RDS:\LicenseServer\LicenseKeyPacks -ConnectionMethod AUTO -LicenseType OPEN -LicenseNumber 0000000 –AuthorizationNumber 'XXXXXXXXXXXXXXX' -ProductVersion 1 -ProductType 1 -LicenseCount 1

An example of the required parameters for a retail license:

New-Item -Path RDS:\LicenseServer\LicenseKeyPacks -ConnectionMethod AUTO -LicenseType RETAIL -LicCode 'XXXXX-XXXXX-XXXXX-XXXXX-XXXXX'

Adding RDS CALs normally has to be performed only once during the initial configuration of the RD License Server as scripting this part of the configuration is subjected to the license type used. The manual installation of the CALs takes far less time than developing and testing the required PowerShell commands.

You can read more about the RDS provider for Windows PowerShell at Microsoft TechNet: http://technet.microsoft.com/en-us/library/ee791871(v=WS.10).aspx.

If you are not comfortable running the provided PowerShell script, you can always configure and activate your RD License Server manually by following the instructions from Microsoft TechNet available at http://technet.microsoft.com/en-us/library/cc770368.aspx, and add RDS CAL license packs manually by following the instructions from Microsoft TechNet available at http://technet.microsoft.com/en-us/library/cc770368.aspx.

To install the RD Session Host server Role Service, you need to install and set up a new Windows Server 2008 R2 server or add the Role Service to an existing server.

To add the RD Session Host server Role Service to a Windows server, follow these steps:

The servermanagercmd.exe command is explained in detail in the Scripting a command-line installation of the RD License Server recipe.

As an alternative method to the deprecated servermanagercmd.exe, you can use Windows PowerShell to install the the Windows Role Service. You can use the following PowerShell command to add the RD Session Host Role Service:

Import-Module ServerManager
Add-WindowsFeature –Name RDS-RD-Server –LogPath <log.txt> -Restart

To configure the RD Session Host, you need to have the RD Session Host role installed on a Windows server. You can use the unattended installation directions from the previous recipe for the installation of the RD Session Host.

To run the provided PowerShell commands, you will need to change the default execution mode for PowerShell to a less restrictive mode on the server.

You can change the PowerShell execution mode from Restricted to RemoteSigned by running the following PowerShell command:

Set-ExecutionPolicy RemoteSigned -Force

To configure the RD Session Host, perform the following step:

These are the basic settings that are required by the XenApp infrastructure. All other settings are focused on the RDP-TCP protocol used by RDS and not the ICA protocol that will be used by the XenApp servers.

How the Remote Desktop Services provider works is explained in the Configuring the RD License Server recipe.

The RD Session Host-specific information can be found by using the following PowerShell command to view the current configuration for the RD Session Host server:

Get-ChildItem .\RDSConfiguration

To set the license mode for the RD Session Host, you can use the following command:

Set-Item -Path RDS:\RDSConfiguration\LicensingSettings\LicensingType -Value <LicenseMode>

The Set-Item cmdlet uses the following parameters:

To specify an RD License Server for the RD Session Host to use, you can use the following New-Item cmdlet to add the server information:

New-Item -Path RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers -Name <FQDNLicenseServer>

The New-Item cmdlet uses the following parameters:

You can read more about the RDS provider for Windows PowerShell at Microsoft TechNet: http://technet.microsoft.com/en-us/library/ee791871(v=WS.10).aspx.

If you are not comfortable with running the provided PowerShell scripts, you can always configure your RD Session Host manually by following the instructions from Microsoft TechNet: http://technet.microsoft.com/nl-nl/library/dd996653(v=ws.10).aspx.

To use Microsoft Group Policies and configure the required settings for your XenApp servers, you need to have the Group Policy Management feature installed on Windows Server 2008 R2 and be able to start the Group Policy Management Console on at least one of your servers.

You also need to ensure that the XenApp servers (or at least the RD Session Host servers) are put in their own Organizational Unit (OU) within Active Directory. This ensures you can attach Group Policy Objects (GPOs) with the required Group Policy settings to the server OU in Active Directory.

To configure RDS settings with Group Policies, follow these steps:

You can find all the RDS-related policy settings for Windows servers by navigating to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host within the Group Policy Editor.

You can configure the following RDS Session Host settings:

These are the basic settings that are required by the XenApp infrastructure to be set. All other policy settings are focused on the RDP-TCP protocol used by Windows Remote Desktop Services and not the ICA protocol that is used by the XenApp servers.

You can read more on All Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2 at Microsoft TechNet: http at //technet.microsoft.com/en-us/library/ee791756(v=ws.10).aspx.

To manage RDS Device CALs, a RD License Server needs to be installed and activated in the XenApp infrastructure. The RD License Server must also be issuing RDS Device CALs to client devices connecting to the RD Session hosts by the RDP protocol. Use the RD License Manager to check whether RDS Device CALs are issued by the RD License Server.

To revoke RDS Device CALs, follow these steps:

The status of the revoked Per Device CAL has now been changed to Revoked.

Each RD Session Host needs to be configured with an RD License Server and the RD licensing mode to run user sessions. The configured RD licensing mode determines the type of RDS CAL that will be requested from the RD License Server. This can either be a Per User or a Per Device RDS CAL.

When a user wants to set up a Remote Desktop session on an RD Session Host, the host will check whether or not a valid RDS CAL is presented and will request an RDS CAL with the RD License Server, if one cannot be provided. The following flowchart provides a (simplified) view of the process followed by the RD Session Host to check and request an RDS Device CAL for the client device:

If the device cannot present an RDS Device CAL, a temporary RDS Device CAL will be issued by the RD License server. If the device presents a temporary or expired RDS Device CAL, a permanent RDS Device CAL will be issued if the RD License Server has RDS Device CALs available. If no RDS Device CALs are available, no permanent RDS Device CAL can be issued and the issued RDS Device CAL is not replaced on the client device. If a valid temporary CAL is available, a Remote Desktop session can still be started; if not, the request is denied, and the Remote Desktop session is denied.

An RD License Server can always issue temporary CALs whether it is activated or not. An unlimited supply of temporary RDS CALs is installed by default on each RD License Server. Temporary RDS CALs are valid for 90 days.

Each permanent RDS CAL issued by the RD License server is automatically configured with an expiry date. This date is a random period of 52 to 89 days from the request date. The expiry date for each RDS CAL is logged by the RD License server to ensure that when the expiry date is reached, the RDS CAL is automatically returned to the pool of available RDS Device CALs on the RD License Server. The returned RDS CAL can be issued immediately to a new device when a CAL is requested.

If by any chance you want to return a RDS Device CAL to the pool of available CALs before it is expired, you can use the RD Licensing Manager to revoke a Per Device CAL.

The revocation of RDS Device CALs is only meant to return issued CALs for devices that are no longer in use and there is no mechanism to dynamically manage your license pool. You are only allowed to revoke up to 20 percent of the CALs within a period of two and a half months.

You can read more about Remote Desktop licensing at Microsoft TechNet at http://technet.microsoft.com/en-us/library/cc772298.aspx.

You can read more about Remote Desktop licensing at Microsoft TechNet at http://technet.microsoft.com/en-us/library/cc772298.aspx.

To keep track of the issued RDS Device CALs and automatically generate reports, you can use the Visual Basic script that is developed and provided on Microsoft's MSDN website to generate RDS Per Device CAL reports. The following screenshot is an example of such a report:

You can download the script and read more about it at Microsoft's MSDN blog at http://blogs.msdn.com/b/rds/archive/2007/08/10/generating-per-device-license-usage-reports-for-ts-license-servers-running-windows-server-2008.aspx.

In order to manage your RDS Per User CALs, you need to have an RD License Server installed and activated so that it can issue RDS User CALs. In addition to this, you also need to have RDS Per User CALs installed on your RD License server and have your RD Session Host servers configured for the Per User license mode. This will ensure that your RD Session Host will request a valid Per User RDS CAL to be presented for each user that starts a Remote Desktop session on the server.

You can check whether your RD License server is issuing RDS Per User CALs with the RD Licensing Manager. Unlike the Per Device CALs where all issued licenses are shown in the console, a report has to be generated to get an overview of the issued RDS Per User CALs. Follow these steps to generate the report:

You can view the report with either Notepad or Microsoft Excel as shown in the following screenshot:

If you want to automate the generation of the Per User RDS CAL usage reports, you can also run the following PowerShell script:

# Import the RDS PowerShell module 
Import-Module RemoteDesktopServices
# Navigate to the RDS Provider for Windows PowerShell 
Set-Location RDS:
# Generate the Per User CAL report 
cd RDS:\LicenseServer\IssuedLicenses\PerUserLicenseReports
New-Item -Path . -Name PerUser20130707 -Scope DOM
# Check report settings 
Get-ChildItem –Path .\20130707_133613\Win2K8-Win2K8R2
Get-Item –Path .\20130707_133613\Win2K8-Win2K8R2\IssuedLicenses\*

The report name is automatically generated and based on the creation date of the report.

In order to use the Licensing diagnosis snap-in, you need an installed and configured RD Session Host and an installed and configured RD License server as well. In order to read information on the RD License server with the Licensing Diagnosis snap-in, you also need to run it with a user account that has administrator privileges on the RD License server.

To use the Licensing Diagnosis snap-in, follow these steps:

If the Licensing Diagnosis snap-in detects problems reading the RD Session Host configuration or has problems communicating with the RD Licensing Server, it will show clear warnings and/or error messages in the Licensing Diagnosis Information pane.

The Licensing Diagnosis snap-in provides administrators with a quick diagnostic tool to check the configuration of the RD Session Host and the communication to and from the RD License servers. It will also provide clear error and warning messages when problems are detected.

Administrative privileges

To use the Licensing Diagnosis snap-in, it must be executed on the RD Session Host with an account that has local administrator permissions on the host. If your account does not have these permissions, a warning is shown when Licensing Diagnosis is selected in the left pane:

To view the RD License server information, the same account also needs administrative privileges on the RD License server. Without those privileges, the following error will be shown:

It is possible to provide separate credentials in the management console for the RD License server. By selecting the license server in the Remote Desktop Services License Server Information pane, and by selecting Provide Credentials from the Action menu, you can enter the required account information. After providing the right credentials, the RD Licensing server information is shown and no errors are reported.

RD Licensing service not started

When the RD License service is not started, the following error is shown:

License server <LicenseServerName> is not available. This could be caused by network connectivity problems, the RD Licensing service is stopped on the license server, or RD Licensing is no longer installed on the computer...

Make sure the RD Licensing service is started on the RD License server. If it is not started, start the service and refresh the Licensing Diagnosis information to see if the problem is resolved.

You can read more on Licensing Diagnosis problems at the MSDN blog at http://blogs.msdn.com/b/rds/archive/2008/02/01/licensing-diagnosis-problems-and-resolutions.aspx.

As of Windows Server 2008 R2, automatic discovery of the RD License Server is no longer supported. To check whether a RD License Server is configured, follow these steps:

When installing a RD License server, a discovery scope needs to be provided for the server. Previous versions of Windows Server (2000, 2003, and 2008) Terminal Services were able to use a discovery process to automatically find the Terminal Server (TS) License server by checking the Active Directory for specified TS License servers.

This automatic discovery process is no longer supported for the RD Session Host servers running on Windows Server 2008 R2 and later. You are now required to specify a RD License server in the RD Session Host configuration or through Group Policy settings. If errors report that no RD License Server can be found by the RD Session Host, make sure a RD License server is configured through the RD Session Host Configuration console or through Microsoft Group Policy settings. You can check the following registry key for the specified License Server entries:

HKLM\SYSTEM\ControlSet001\services\TermService\Parameters\LicenseServers\SpecifiedLicenseServers

If a RD License Server is specified, make sure the RD Licensing service is running and network connectivity is available between the RD Session Host and the RD License Server. RD Licensing uses Remote Procedure Call (RPC) over TCP port 135 and a dynamically assigned port above 1024. For communication with Microsoft Clearinghouse during activation and the RDS CAL installation process, internet communications over TCP port 443 are required as well.

You can install the Telnet client to check network connectivity on a Windows Server 2008 R2 server by running a command prompt as Administrator and using the following command line:

pkgmgr /iu:"TelnetClient"

This will run the Windows Package Manager and install the Telnet client.

To troubleshoot RD License Issuance, follow these steps:

For troubleshooting purposes, a quick list of common RD Licensing error messages and their recommended solutions are provided in the following table:

Issuance of RDS Per User CALs

Issued RDS Per User CALs are logged in the Event log by Information entries with the Event ID 4143. These will appear in the Applications and Services Logs section under Microsoft | Windows | TerminalServices-Licensing | Admin.

Issuance of RDS Per Device CALs

Issued RDS Per Device CALs are logged in the Event log by Information entries with the Event ID 82 in the Windows Logs under System.

Reissue a RDS Per Device CAL

RD Licensing information concerning RDS Per Device CALs are stored on the client device in the registry:

HKLM\SOFTWARE\Microsoft\MSLicensing.

To remove the Per Device CAL from the client device, you can delete the hardware ID and store subkeys from the registry and reboot the client. The client device will request a new CAL at the next RD session.

When the entire MSLicensing registry key is deleted and needs to be recreated, you will have to run the Remote Desktop connection as an administrator with the corresponding privileges to have sufficient rights to create the corresponding registry keys.

For a complete overview of Remote Desktop Services Events in Windows Server 2008 R2, check out Microsoft TechNet at http://technet.microsoft.com/en-us/library/ff404148%28v=ws.10%29.aspx.

To automatically rebuild the RD Licensing database, the computer running the RD Licensing Manager needs to have internet access (TCP port 443). The RD License server itself does not require internet access, only the computer running the management console.

Check if your RD License Server is configured for Automatic connection (recommended) through the properties of your RD License Server in the RD License Manager, before you start the rebuilding process.

To automatically rebuild the RD License server, follow these steps:

You can read more about rebuilding the RD Licensing Database at Microsoft TechNet: http://technet.microsoft.com/nl-nl/library/ff817600%28v=ws.10%29.aspx.

In order to automatically rebuild the RD Licensing database, the computer running the RD Licensing Manager needs to have internet access (TCP port 443). The RD License server itself does not require internet access, only the computer running the management console.

Also check if your RD License Server is configured for automatic connection (recommended) through the properties of your RD License Server in the RD License Manager.

To automatically recover your licenses to a new RD License server, follow these steps:

You can read more about recovering (or migrating) RDS CALs at Microsoft TechNet at http://technet.microsoft.com/en-us/library/dd851844.aspx.