Applies to: All versions of Centrify DirectControl / DirectManage.
How can unused licenses be freed up in Centrify DirectControl?
Some of the servers/machines were decommissioned without doing an adleave.
Does Centrify also count the number of Zone-enabled users?
Will logins stop working?
For Centrify DirectControl, licensing is based on the number of servers and workstations you authorize for access, but license validation does not impact the operation of any production systems. Instead, license validation is handled through the Centrify DirectControl Administrator Console so that the administrator is notified if there are not enough license keys to cover the number of Centrify DirectControl-managed systems. With this licensing enforcement model, the Centrify DirectControl Administrator Console always checks for license keys at startup to verify that there are enough license keys installed for all UNIX computers with valid accounts in Active Directory. If the number of licensed servers and workstations exceeds the total number of licenses you have purchased, the Centrify DirectControl Administrator Console will display the Manage Licenses dialog box to enable you to add license keys.
In Centrify DirectControl, licenses are issued based on how a computer is used. For example, a computer can be licensed as a workstation or a server, and as a standard UNIX server or as an application server. The following types of licenses are available:
a) Workstation Licenses permit a specific number of UNIX workstations to be available to Active Directory users who log on to the UNIX shell. Workstation licenses are intended for computers that are used interactively by one or two concurrent users who log on using standard UNIX services such as telnet and ftp, but that do not host applications accessed by multiple users.
b) Server Licenses permit a specific number of UNIX servers to be available to Active Directory users accessing server-based applications. Server licenses are for computers that are accessed by multiple concurrent users and typically host a specific type of application.
c) Application Licenses permit UNIX servers to be available for Active Directory users accessing specific applications hosted on UNIX servers
If the machine was joined to the domain earlier but adleave was performed with -f (force) or somehow the machine was decommissioned without performing adleave or adleave -r then the scp (service connection point) for the computer object and scp for the computer object under the zone exist in AD which contributes to license count.
Find such machines and delete their profiles from the zone. Additionally the computer object was deleted from AD but its scp exists under the zone, this also is counted towards license. These can be deleted by running the "DirectManage Access Manager Anslyze Wizard". More detailed instructions can be found below:
Centrify Suite 2017.1 admin guide page 274:
Please note user logins will never be impacted if license count is exceeded. Customers will not be able to perform console operations.
Please see the snapshot below from our Centrify Admin Console. Here we have a license bought for 75 systems and 5 is already 'joined' to a DC. If we decommission 2 out of 5 systems and did not do 'adleave -r' the Admin Console will still showing '5' used unless we remove the computer object in AD and the scp information.