Changes to Windows Server 2008 Terminal Server Licensing (Part 2)

If you would like to read the previous article in this series please go to Changes to Windows Server 2008 Terminal Server Licensing (Part 1).

This is the second part of a two-part article series on the changes to terminal server licensing in Windows Server 2008. In part one, I discussed some changes to the installation process, licensing database and discovery process. In this part, I’ll cover some interesting changes in per-user licensing, CAL reporting, revocation and improvements in the management interface.

CAL Allocation Process

The CAL allocation and tracking process has evolved over the years as Microsoft has matured the product. Originally, with Windows NT Server 4.0 Terminal Server Edition, Terminal Server CALs were never tracked and licensing enforcement was purely on the honor system. 

When Windows 2000 Server arrived, Microsoft began enforcing Terminal Services licensing by requiring CALs for every client that was connecting from a system that pre-dated Windows 2000. However, for those running Windows 2000 or later, they were considered to have equal or greater functionality in the native client OS, so no further purchase was necessary.

Windows Server 2003 Terminal Services brought on a paradigm shift in licensing methodology, requiring each and every client that connected to the Terminal Server to have a TS CAL regardless of whether the client operating system was of the same or newer version. Microsoft considered the Terminal Services capabilities of Server 2003 to be a separate licensable technology. At the same time, Microsoft decided to augment their licensing offering so customers could tie a CAL to a user account, rather than to a specific machine, and decided to offer organizations a choice of licensing for Terminal Server clients – per-device or per-user.  However, the per-user CAL was introduced late in the development process and there wasn’t sufficient time to integrate a tracking mechanism, so CALs were simply not tracked.

Windows Server 2008 is supposed to change this by enforcing per-user CAL allocation and use. However, as of Release Candidate 0 (RC0), per-user allocation is tracked (sort of), but not enforced. As connections are accepted by the terminal server, the license server updates the user account in Active Directory with the CAL information, but CALs are never decremented from the licensing database. It appears that the final release will remain this way, although this may change in the final product release.

Licensing type is determined by the licensing mode of the terminal server, just as it was in Windows Server 2003 and likewise, no temporary CALs or permanent per-user CALs are issued to clients when connecting to a terminal server that is in per-user mode. In fact, the entire CAL allocation process for both per-user mode and per-device mode terminal servers remains the same as Windows Server 2003.

The only difference is that per-user CALs are registered in Active Directory with the user account, and while Windows Server 2008 still doesn’t enforce per-user CAL allocations, it does allow you to generate reports on CAL usage based on this information.

CAL Usage Reporting

Even though per-user CAL allocation is not tracked in the licensing database, reporting is possible because of the involvement of Active Directory.  When a user logs on to a Windows Server 2008 terminal server that is in per-user mode, the terminal server checks in with the license server, as it did in Windows Server 2003. The license server then reaches into Active Directory and modifies terminalServer attribute on the user account to add the CAL. The rights to modify the user account are granted through the license server’s membership in the Terminal Server License Servers security group, so the license server must remain a member of this group for reporting to work. Furthermore, if the license server will be responsible for issuing and tracking CALs in multiple Active Directory domains, then the license server must be a member of the Terminal Server License Servers security group in each of those domains in order to update the user account attribute.

Note:
If the license server is installed on a domain controller, then the Network Service account must also be a member of the Terminal Server License Servers security group.

Per-user CAL usage reporting is only supported when both the terminal server and the license server are both a member of an Active Directory domain, since the CAL becomes associated with the user account object. Active Directory can be based either on Windows Server 2003 or Windows Server 2008; there are no schema extensions required for per-CAL usage tracking. Because Active Directory is a requirement, per-user CAL usage reporting is not supported where Workgroup-mode license servers are deployed.

The reporting process itself is either performed through the TS Licensing Manager program or via WMI scripting, with the former only supported for per-user CALs. Per-device CAL reporting must be performed using WMI. Reports are generated using real-time data retrieved from Active Directory and stored in the LServer\Reports directory as .DAT files. Although there isn’t much that can be done with the .DAT files directly, using the TS Licensing interface, the data in these files can be extracted and saved as text files for viewing.

LSREPORT is a command-line utility that accompanied the Windows Server 2003 resource kit and was used to export per-device CAL data from the licensing database into a tab-delimited text file. Microsoft reports that LSREPORT is no longer supported in Windows Server 2008; however as of RC0 it still appears to work without issues.

Creating a Report

In TS Licensing Manager, right-click Reports from the hierarchy on the left, then select Generate Reports, Per User CAL Usage.  On the Create Per User CAL Usage Report screen, select one of the following options:

  • Entire domain: This option will produce a report based only on the domain in which the license server is a member.

  • Organizational Unit: This option will produce a report based on a specific OU in the domain in which the license server is a member.

  • Entire domain and all trusted domains: This option will produce a report on the domain in which the license server is a member and any other domain where this license server has been added to the respective Terminal Server License Servers security group.

Clicking Create Report will generate the report and create a record in the TS Licensing Manager interface. This record is actually pointing to a .DAT file in the LServer\Reports directory on the license server. To view the data in the report, right-click on the record in TS License Manager and select Save Report. This will save the data as a text file that can viewed in Notepad.

The report output isn’t very detailed, but it does provide a list of CALs that have been issued to user accounts. The information is obtained by querying Active Directory user accounts, looking for a value in the licenseServers attribute that matches the license server’s signature. The following is a sample report output.


Figure 1

Management Interface Changes

Terminal Services Licensing Manager is still a self-contained executable (LicMgr.exe), rather than an MMC snap-in and there is no word as to whether this will end up as an MMC snap-in in the final release of Windows Server 2008. However, TSAdmin.exe, the Terminal Server Administrator program from Windows Server 2003 and earlier, is no longer and has been replaced by a new MMC snap-in.

There are two interesting additions to the functionality of the TS Licensing Manager interface. First is a new “sanity check” option called Review Configuration (figure 2). This makes sure that any obvious missteps in the configuration or installation of license server components are brought to light, such as neglecting to activate the license server, add CALs or potential issues regarding discoverability.


Figure 2

The other interesting addition is the ability to change the license server’s discovery scope. Previously, in Windows Server 2003 you had to alter the registry and manually edit Active Directory using ADSIEDIT to change the scope from Domain to Enterprise (now called Forest) or vice-versa. In Windows Server 2008, you can use the Review Configuration option to change the scope on the fly. Clicking Change Scope in figure 2 will bring up a simple dialog box to change from Domain to Forest or Forest to Domain. The only requirement is you must have Enterprise Admin rights or equivalent permissions in Active Directory to make changes to the site object, regardless of which direction you are changing the scope; even if changing the scope from Forest to Domain, Enterprise Admin rights are required to remove the license server entry from the site object.

One final management interface change comes not from the license server side, but from the terminal server side. A new Licensing Diagnosis option exists in the Terminal Services Configuration MMC that can help diagnose licensing-related issues. Information that can be gleaned from here includes the licensing mode of the terminal server, how license server discovery is configured (automatic or static), or any potential issues that may be of concern with discovered license servers, such as the type and version of CALs installed. The Licensing Diagnosis option replaces the LSVIEW resource kit utility from Windows Server 2003 while adding additional functionality.

Revocation of Per-Device CALs

One question that I see often in the support forums is regarding the ability to revoke a CAL from a client machine that either inadvertently received one or was replaced by a new system. Unfortunately Windows Server 2003 had no way of revoking CALs – once the CAL was issued, the only way to recover it was to wait-out the expiration period or call the Clearinghouse to have the lost CAL reissued. However, in Windows Server 2008, Microsoft listened to the roar of customers and now allows the revocation of per-device CALs… with a small catch.

You may only revoke a maximum of 20% of a particular type (version) of CALs installed on a license server at any given time. This means that if you have (50) Windows Server 2008 Per-Device CALs installed on the license server, you may only revoked (10) at any given time.  In addition, each CAL version is treated separately, so if you have (50) Windows Server 2008 and (50) Windows Server 2003 CALs installed, only (10) of each type can be revoked at any given time; you cannot revoke (15) of one type and (5) of another. Also, per-user CALs cannot be “revoked” as they are never issued in the first place; CAL revocation only applies to per-device CALs.

To perform a CAL revocation, you must be a member of the Administrators group on the license server. To revoke a CAL, simply right-click on the issued CAL record in the TS Licensing Manager tool and select Revoke TS CAL.  Revoked CALs are available immediately for issuance to clients. However, remember that CAL revocation is not a substitute for ensuring enough CALs are available to satisfy the license requirements of your organization.

Conclusion

With all the changes to Windows Server 2008 terminal services, it’s a sure bet that customers will be rolling out new servers to take advantage of the new features and functionality. Licensing has always been an area of confusion, so with some careful planning and an understanding of the process, your terminal server environment can run trouble free (well, at least from a licensing perspective). As always, thanks for reading.

If you would like to read the previous article in this series please go to Changes to Windows Server 2008 Terminal Server Licensing (Part 1).

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top