Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1658: How does Centrify Licensing work?

Centrify DirectAudit ,   Centrify DirectControl ,  

2 May,16 at 05:40 PM

Applies to: All versions of Centrify DirectControl / DirectManage.
 
Question:
How can unused licenses be freed up in Centrify DirectControl?  
 
Some of the servers/machines were decommissioned without doing an adleave. 
 
Does Centrify also count the number of Zone-enabled users? 
 
Will logins stop working?


Answer:
For Centrify DirectControl, licensing is based on the number of servers and workstations you authorize for access, but license validation does not impact the operation of any production systems. Instead, license validation is handled through the Centrify DirectControl Administrator Console so that the administrator is notified if there are not enough license keys to cover the number of Centrify DirectControl-managed systems.  With this licensing enforcement model, the Centrify DirectControl Administrator Console always checks for license keys at startup to verify that there are enough license keys installed for all UNIX computers with valid accounts in Active Directory. If the number of licensed servers and workstations exceeds the total number of licenses you have purchased, the Centrify DirectControl Administrator Console will display the Manage Licenses dialog box to enable you to add license keys.
 
In Centrify DirectControl, licenses are issued based on how a computer is used. For example, a computer can be licensed as a workstation or a server, and as a standard UNIX server or as an application server. The following types of licenses are available:

a) Workstation Licenses permit a specific number of UNIX workstations to be available to Active Directory users who log on to the UNIX shell. Workstation licenses are intended for computers that are used interactively by one or two concurrent users who log on using standard UNIX services such as telnet and ftp, but that do not host applications accessed by multiple users.

b) Server Licenses permit a specific number of UNIX servers to be available to Active Directory users accessing server-based applications. Server licenses are for computers that are accessed by multiple concurrent users and typically host a specific type of application.

c) Application Licenses permit UNIX servers to be available for Active Directory users accessing specific applications hosted on UNIX servers
 
All computer licenses are simply added together and then compared to the total number of UNIX / Linux / Mac systems that have joined AD in order to determine license compliance

Page 31 of the below online guide (Suite 2017.1) shows how to run a license report: 
https://docs.centrify.com/en/css/suite2017.1/centrify-licensing-guide.pdf
 
If the machine was joined to the domain earlier but adleave was performed with -f (force) or somehow the machine was decommissioned without performing adleave or adleave -r then the scp (service connection point) for the computer object and scp for the computer object under the zone exist in AD which contributes to license count.

Find such machines and delete their profiles from the zone.  Additionally the computer object was deleted from AD but its scp exists under the zone, this also is counted towards license. These can be deleted by running the "DirectManage Access Manager Anslyze Wizard".  More detailed instructions can be found below:

Centrify Suite 2017.1 admin guide page 274:
https://docs.centrify.com/en/css/suite2017.1/centrify-unix-adminguide.pdf

If you did not do 'adleave -r' and the server is already decommissioned, then you will need to remove the computer object in AD and make sure the scp is also deleted.
 
Please note user logins will never be impacted if license count is exceeded. Customers will not be able to perform console operations.

Please see the snapshot below from our Centrify Admin Console.  Here we have a license bought for 75 systems and 5 is already 'joined' to a DC.  If we decommission 2 out of 5 systems and did not do 'adleave -r' the Admin Console will still showing '5' used unless we remove the computer object in AD and the scp information.

User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.