Windows Remote Desktop Service
针对Windows Server,OS默认允许两个用户同时登录,如果希望更多的用户登录,就需要购买Remote Desktop Service CALs(Client Access License).
即使在默认情况下登录,针对 Local Account也需要将其添加到Remote Desktop Users 组中,才可以允许远程登录。如果超过2两个用户同时登录,系统会提示是否将其中一个用户挤掉。
如果希望多于两个用户同时远程登录该Windows Server,可以需要在Server中安装Remote Desktop Service,并:
- 购买CALs
- 在当前Windows Server或者新的Windows Server节点上开启 RDS Licensing Server,并安装购买的CALs
- 在需要登录的Windows Server上配置对接的RDS Licensing Server地址
RDS开启后
第一个和第二个用户登录不需要到RDS Licensing Server上申请License,从第三个开始才需要;而且所有需要license的用户有90~120天左右的试用期,期间不需要申请license;过期后才需要申请。
CALs类型和区别:
Per User CAL: A Per User RDS CAL permits a user to establish a Remote Desktop session on a Remote Desktop Session Host server, regardless of how many devices the user uses to connect.
Per Device CAL: A Per Device RDS CAL permits a particular device to establish a Remote Desktop session on a Remote Desktop Session Host server, regardless of how many users connect from that device.
Per Device RDS CALs are assigned to client devices the second time each device connects to a Session Host server. (A temporary CAL is used for the first connection from each device.) A Per Device CAL remains assigned to a device for a random period of 52-89 days, after which it is returned to the license pool and will be assigned to the next device which connects without an existing CAL. Per Device CALs can also be manually revoked (disassociated from a device and returned to the pool) before the end of the assignment period. This is useful if a CAL is assigned to a device that is no longer in the environment or has had its operating system reinstalled. Up to 20% of the total number of Per Device CALs on a license server can be revoked.
Per User RDS CALs are not assigned to user accounts in the same way that Per Device CALs are assigned to devices; in fact, Per User CALs are not enforced by the license server at all. However, failure to maintain an adequate supply of Per User RDS CALs is a violation of the Microsoft Software License Terms.
The Remote Desktop Licensing Manager console is used to activate a license server, install RDS CALs, and manage those CALs.
A single license server can host both types of RDS CALs and can host CALs from earlier operating-system versions. This is useful if a single license server will manage multiple Session Host servers. A license server cannot host RDS CALs from later OS versions, however. For example, a Windows Server 2008 R2 license server could host Server 2003 TS CALs and Server 2008 TS CALs but not Server 2012 RDS CALs.
在当前公有云场景,而且如果是多region,平台需要在SPLA协议下跟微软申请License,并说明使用的国家、类型、数量,该License是预付费,且按月算。
Per Device类型的License:适用于用户多于server的场景,平台管理员可以手动回收最多20%的License,如果Licensing Server的License已经不足以新的申请,则客户端的登录被拒绝。
Per User类型的License:适用于server多于登录用户的场景,在微软的官网虽然说明该类型的License不是强制的,需要管理员保证剩余License足以确保新的客户端申请,否则将违反微软协议。但是跟微软确认,在剩余License不足的时候,新的客户端申请也会自动被拒绝。
存在的问题:
在用Licensing Diagnosis进行RDS测试诊断中,机制依赖给当前的RDS Host配置远端licensing server上的一个账号和密码,用于查询license信息。
解决方法:
Add the querying User Account to the local Administrators group on the Remote Desktop Licensing Server.
可以参照https://campus.barracuda.com/product/websecuritygateway/knowledgebase/501600000013UxgAAE/how-can-i-create-a-user-with-wmi-query-permission/ 在licensing server节点上创建普通用户,并做如下配置:
Step by Step configuration for Windows 7 and Windows Server 2008:
1. Create a normal user via the Active Directory Users and Computers tool.
2. Add the created user to following groups Performance Monitor Users and Distributed COM Users under Builtin.
3. Open a command prompt window and execute the wmimgmt.msc command.
4. Select the Properties of WMI Control (local).
5. Select the Security tab.
6. Select Root and press the Security button.
7. Add the group Performance Monitor Users.
8. Enable all Remote Enable, Execute Methods, Enable Account and all read rights.
9. Close the add dialog and select the group Performance Monitor Users in the list.
10. Select Advanced in the Security for Root dialog and then select the group and press Edit.
11. Select This namespace and subnamespaces to grant read-only access to the whole WMI tree to this account .
Configure the Windows Firewall (needed if the firewall blocks the remote WMI access)
1. Start the Windows Firewall using the Control Panel.
2. It is not necessary to use the Windows Firewall with Advanced Security control.
3. Select Allow a program or feature through Windows Firewall.
4. Enable Windows Management Instrumentation (WMI) for Domain and/or Home/Work Networks.
Configure the DCOM access (optional if predefined group Distributed COM Users is not used)
1. Start dcomcnfg.exe
2. Open Component Services, Computers, My Computer and then Properties of My Computer.
3. Select COM Security
4. Click on Edit Limits on Launch and Activation Permissions.
5. Check the rights of the group Distributed COM Users (should have full rights) .