As you're starting to see, the Windows 2003's Terminal Server licensing environment is extremely complex. It's probably also fairly obvious that the licensing service plays a central role. In Windows 2003, this service builds on the licensing functionality that was available in Windows 2000.
The TS licensing service is separate from the actual Terminal Server components that allow users to run remote sessions.
In Windows 2003 Terminal Server environments, the TS licensing service must be installed on a Windows 2003 server. That server can be any server in your environment, and it doesn't have to be a server that's running Terminal Server. Most companies install the TS licensing service on a standard Windows 2003 file and print server.
The TS licensing service can be installed on any Windows 2003 server. It does not have to be installed on a domain controller. Furthermore, this installation can be done at the time of the OS installation or at any time after that via the Control Panel (Control Panel | Add Remove Programs | Windows Components | Terminal Services Licensing Service).
There is no need to build a dedicated licensing server. The TS licensing service can run on any Windows 2003 server without adversely affecting performance. It adds very little CPU or memory overhead, and its hard disk requirements are negligible. The average memory usage is less than 10MB when active, and the license database will grow in increments of only 5 MB for every 6,000 license tokens issued. The license server does not require Internet access.
As part of the licensing service setup, the installation routine asks if you want to set up the license server for your "Enterprise" or "Domain or Workgroup." The option chosen here (called the "scope") dictates how the license server communicates with your Terminal Servers and lets you control which Terminal Servers can receive licenses from your licensing server. You can configure your license server so that it provides licenses for either:
An entire Active Directory site. (Enterprise licensing server)
An entire domain or workgroup. (Domain/workgroup licensing server).
If you choose the "Enterprise" installation option, your licensing server will respond to a license request from any Terminal Server in the same Active Directory site. If Terminal Servers from multiple domains exist in that Active Directory site, the license server will provide licenses for all of them.
This option requires that your Terminal Servers be part of an Active Directory domain. When the licensing service starts, it registers itself with a domain controller and creates a "TS-Licensing" object in the directory, allowing Terminal Servers from any domain to query a domain controller to locate the license server.
Choosing the "Your domain or workgroup" option causes the license server to behave differently, depending on whether it's part of an Active Directory domain.
In AD environments, this choice causes your licensing servers to only respond to license requests from Terminal Servers in the same Active Directory domain. If an Active Directory domain crosses multiple Active Directory sites, the licensing server will fulfill requests from multiple sites. This option is useful in situations where there are multiple business units partitioned into different domains on the same network. A license server from one domain won't give licenses to clients connecting to Terminal Servers from a different domain.
In non-AD environments, choosing this option means that your license server will not attempt to register itself with a domain controller, and your Terminal Servers will have to find your license servers on their own. (More on this later.)
After the TS licensing service is installed on a server, it must be activated by the Microsoft clearinghouse via the Terminal Services Licensing tool. This activation gives the license server the digital certificate it will use to accept and activate TS CALs.
The license server activation is fairly straightforward (Start | Programs | Administrative Tools | Terminal Services Licensing | Right-click on server | Activate). Activation can be accomplished directly via the Internet or via a web page, fax, or telephone call. If you run the licensing tool on a computer other than the license server, the computer that you are using must have access to the Internet—not the license server.
You must install a TS licensing server within 120 days of using Terminal Services on a Windows 2003 server. (This was increased from 90 days with Windows 2000.) If a Windows 2003 Terminal Server can't find a license server after it's been used for 120 days, the Terminal Server will refuse connections to clients without valid TS CALs.
Since you can install the licensing service on any Windows 2003 server in your environment, the real fun begins when you try to get your Terminal Servers to talk to your license server(s). Merely installing a license server on your network does not necessarily mean that your Terminal Servers will be able to find it.
License server "discovery" is the technical term for the process by which Terminal Servers locate and connect to licensing servers. As soon as the Terminal Server role is added to a Windows 2003 server, the server immediately begins the discovery process. License server discovery can happen in a number of ways, depending on which of the following environments the Terminal Server finds itself in:
No domain (workgroup mode).
Windows NT 4.0 domain.
Active Directory domain, with the TS license servers operating in domain mode.
Active Directory domain, with the TS license servers operating in enterprise mode.
Regardless of which of these four situations a Terminal Server is in, you always have the option of manually specifying a license server or servers that each Terminal Server should get licenses from. You can manually configure any Terminal Server to get licenses from any license server—there's no need to stay within domain, subnet, location, or site boundaries.
You can configure a Terminal Server to use a specific license server via the Terminal Server's registry. Be careful though, because this registry edit is not like most others. In this case, rather than specifying a new registry value and then entering data, you have to create a new registry key (or "folder"). To do this, browse to the following registry location:
Add a new key called "LicenseServers." Underneath the new LicenseServers key, create another key with the NetBIOS name of the license server that you want this Terminal Server to use. You don't need to add any values or data under this new key.
Add multiple keys for multiple servers if you wish, although the Terminal Server will only communicate with one license server at a time. Once you're done, reboot the server for it to take affect.
As you'll see, this manual process is needed in situations where the Terminal Servers cannot automatically "discover" the license servers. It's also useful if you want to override the default license server that a Terminal Server discovers.
In non-Active Directory environments, a Terminal Server first looks to the LicenseServer registry location to see if any license servers have been manually specified.
If the registry key is empty or if the server or servers specified there cannot be contacted, the Terminal Server performs a NetBIOS broadcast to attempt to locate a license server. (NetBIOS broadcasts are not routable, so only license servers on the same subnet as the Terminal Server making the broadcast will respond.) If multiple license servers respond, the Terminal Server remembers their names and chooses which it will use exclusively.
Once the Terminal Server picks a license server, the Terminal Server periodically verifies that it exists. (See Figure 4.2.) If the license server ever fails to respond to the verification poll from the Terminal Server, the Terminal Server attempts to connect to one of the other license servers that responded to the original NetBIOS process. If no connection can be made to a license server, the Terminal Server attempts to find a new license server by starting the entire discovery process over again.
License server verified to exist if no activity every
In not found, discovery process occurs every
NT 4 domain or workgroup
When a Terminal Server is a member of an Active Directory domain, the license server discovery process is entirely different.
First, the Terminal Server attempts to contact the license server (or servers) specified in its LicenseServers registry key. If a license server is discovered at any point through this process, the remainder of the discovery process is aborted.
If that attempt fails, the server next looks for an enterprise scope licensing server by performing an LDAP query for the following object in its Active Directory site:
LDAP://CN=TS-Enterprise-License-Server,CN=<site- name>, CN=sites,CN=configuration,DC=<domainname>,DC=com
If that attempt also fails, the Terminal Server begins querying every domain controller in the site, looking for "enterprise scope" licensing servers.
If the Terminal Server still has not found a license server, it will query every other domain controller (outside of its site) to see if any are configured as a domain scope license server.
One thing that you might have noticed about this discovery process is that domain scope license servers must be installed on domain controllers in order for your Terminal Servers to discover them. Domain scope license servers do not register themselves with other domain controllers and Terminal Servers only query domain controllers to see if they are license servers.
There's nothing wrong with installing a domain scope license server on a nondomain controller. Just be aware than you'll need to manually configure the registries of your Terminal Servers to find those license servers. Enterprise scope license servers are not affected, since they register themselves with the domain controllers, even when not installed on a domain controller.
If a Terminal Server does not find a license server via this discovery process, the whole process is started over once every hour.
If license servers are found, the Terminal Server keeps a list of them in its registry. Enterprise licensing servers are stored in the HKLM\Software\Microsoft \MSLicensing\Parameters\EnterpriseServerMulti registry location, and domain licensing servers are stored in the HKLM\Software\Microsoft \MSLicensing\Parameters\DomainLicenseServerMulti registry location. By storing these server names in the registry, a Terminal Server is able to quickly pick a new license server if its primary choice is not available. Once a license server is found, the Terminal Server will only start the discovery process over again if it can't connect to any of the servers in the registry.
You are likely to run into situations in which one of your Terminal Servers cannot find a license server and the reason is not apparent. Fortunately, the Windows Server 2003 Resource Kit includes a Terminal Server License Server viewer tool, LSVIEW.EXE. LSVIEW is a GUI-based tool that is run on a Terminal Server. It provides you with the names and types of each license server that it can discover.
Figure 4.3: Microsoft license server discovery process