Search for a License in AD Bridge

Obtain a License Key

An AD Bridge agent obtains a license key by first looking for a license container in the organizational unit (OU) the computer is joined to. If it obtains a license from that container, it will assign it to the agent machine.

If an AD Bridge agent does not find a license container, it will start to search higher in the hierarchy of the AD Bridge tree, repeating the process, until it reaches the root of the domain.

Once the agent discovers a license container, and whether or not a license key can be found, the agent will not look for additional license containers.

Verify a License Key

The AD Bridge Enterprise agent verifies a license in the following instances:

  • When you run the setkey-cli utility
  • When you start the AD Bridge Enterprise authentication service
  • When you log in

To verify a license, the setkey-cli utility uses the computer's Active Directory account to search for licenses in the computer's OU hierarchy up to the top of the domain. When the computer’s domain controller is down, the utility loads the license from the disk without verifying its assignment in Active Directory.

The AD Bridge Enterprise Group Policy service also checks for a license when it refreshes the computer's Group Policy Objects (GPOs). If the license is invalid, the service ignores the GPOs. Once the license becomes permanent and valid, the service applies the GPOs when it restarts.

If the message "Invalid computer!" is displayed in the Assigned To column, revoke the license and return it to the pool of available licenses. Right-click the license you want to revoke and click Revoke License.

Add License Permissions

Add permissions to licenses in the root of the domain's license container in order for child domains to acquire and delete licenses.

To add permissions for child domains:

  1. At the root of the domain, right-click the license object within the license container.
  2. Add the child or domain computer's account .
  3. Allow Create all child objects and Delete all child objects.

Enabling Create all child objects and Delete all child objects will allow the child domain computers group to acquire and delete licenses from the parent domain.

When you leave the domain with --deleteAccount, the credentials used to leave that domain must also be added to each of the license objects with the intention that the license will be freed.