Terminal Services Licensing

Let’s move on and talk briefly about Terminal Services Licensing (or TS Licensing) and also hear from more of our experts on the Terminal Services team at Microsoft. The job of TS Licensing is to simplify the task of managing Terminal Services Client Access Licenses (TS CALs). In other words, TS Licensing helps you ensure your TS clients are properly licensed and that you aren’t purchasing too many (or too few) licenses. TS Licensing manages clients that are unlicensed, temporarily licensed, and client-access (that is, permanent) licensed clients, and it manages licenses for both devices and users that are connecting to your terminal servers. The TS Licensing role service in Windows Server 2008 supports terminal servers that run both Windows Server 2008 and Windows Server 2003.

Device-based TS Licensing basically works like this: When a client tries to connect to a terminal server, the terminal server first determines whether the client requires a license (a TS CAL). If the client requires a license, the terminal server contacts your TS Licensing server (usually a separate machine, but for small environments this could also be the terminal server) and requests a license token, which it then forwards to the client. Meanwhile, the TS Licensing server keeps track of all the license tokens you’ve installed on it to ensure your environment complies with licensing requirements. Note that if a client requires a permanent license token, your TS Licensing server must be activated. (Nonactivated TS Licensing servers can issue only temporary tokens.)

A new feature of TS Licensing in Windows Server 2008 is its ability to track issuance of TS Per-User CALs. If your terminal server is configured to use Per-User licensing mode, any user attempting to connect to it must have a TS Per-User CAL. If the user doesn’t, the terminal server will contact the license server to obtain a CAL for her, and administrators can track the issuance of these CALs by using the TS Licensing management tool. Note that TS Per-User CAL tracking and reporting requires an Active Directory infrastructure.

To learn more about managing licensing servers, let’s hear now from our experts. First let’s learn how to configure TS Licensing after this role service has been installed:

TS Licensing Manager, the admin console for Terminal Server License Server, can now find configuration-related issues with a Terminal Server License Server. It displays the License Server configuration status under a new column, Configuration, in the list view. If there are some issues with the License Server configuration, the configuration status will be set to Review.

TS Licensing Manager also allows the admin to view the current License Server configuration settings in detail. The admin can choose Review Configuration from the right-click menu for a License Server, which opens the configuration dialog. The License Server configuration dialog displays the following information:

• TS License Server Database Path

• Current scope for the license server

• Membership of the Terminal Server License Server group at the Active Directory Domain Controller. During installation of the TS Licensing role on a domain machine, the setup tries to add the License Server in the Terminal Server License Server group at the Active Directory Domain controller, for which it requires domain administrator privileges. Membership to this group enables the License Server to track Per-User license usage.

• Status of the global policy License Server Security Group (TSLS). If this policy is enabled and the Terminal Server Computers group is not created, a warning message will be displayed. If the policy is disabled, no message/status will be displayed.

  Admins can take corrective actions if some License Server configuration issues are found. The License Server configuration dialog allows an administrator to take the following actions:

• Change the License Server scope.

• If the License Server scope is set to Forest and the License Server is not published in Active Directory, the License Server configuration dialog shows a warning message to the administrator and allows the administrator to publish the License Server in Active Directory.

• Add to the TSLS group in AD.

• If the License Server Security Group Group Policy is enabled and the Terminal Server Computers local group is not created, the License Server configuration dialog displays the warning message and allows the administrator to create the Terminal Server Computers local group on the License Server.

  –Ajay Kumar

  Software Design Engineer, Terminal Services

Next, let’s learn how revocation of TS CALs works in Windows Server 2008. CAL revocation can be done only with Per-Device CALs, not Per-User ones, and there are some things you need to know about how this works before you begin doing it. Here’s what our next expert has to say concerning this:

CAL Revocation is supported only for Windows Server 2008 TS Per-Device CALs. Terminal Services License Server’s automatic CAL reclamation mentioned later in this sidebar applies only to Per Device CALs.

Per-Device CALs are issued to clients for a certain validity period, after which the CAL expires. If the client accesses the terminal server often, the validity of the CAL is renewed accordingly before its expiration. If the client does not access the terminal server for a long time, the CAL eventually expires. The Terminal Services License Server reclaims all the expired CALs periodically with its automatic CAL reclamation mechanism.

Occasionally, an administrator might need to transfer a Per-Device CAL from the client back into the free license pool on the License Server (a process referred to as reclaiming or revoking) when the original client has been permanently removed from the environment and one needs to reallocate the CAL to a different client. Historically, there was no way to do it. An administrator would have had to wait until the CAL expired or lost its validity and was automatically reclaimed by its mechanism. So it was desired to have the License Server support a mechanism to reclaim or revoke CALs.

Using the new Revoke CAL option in TS Licensing Manager, administrators can now reclaim issued CALs and place them back into a free license pool on the License Server. An administrator has to also select the specific client whose CAL needs to be revoked.

But there are certain restrictions on the number of CALs that can be revoked at a given time. This is a restriction imposed by the License Server to prevent misuse. The restriction can be stated as follows: At any given point in time, the number of LH PD CALs in a revoked state cannot exceed 20 percent of the total number of LH PD CALs installed on the License Server. A CAL goes into a revoked state right after revocation, and its state is cleared when it goes past its original expiration date. One can see the list of CALs in the revoked state in the TS Licensing Manager tool by observing the Status column in the client list view. When the administrator has exceeded this limit, he is given a date when further revocation is possible.

Note that TS CALs should not be revoked to affect concurrent licensing. TS CALs can only be revoked when it is reasonable to assume that the machine they were issued to will no longer participate in the environment, for example, when the machine failed. Client machines, no matter how infrequently they may connect, are required to have a TS CAL at all times. This also applies for per user licensing.

–Harish Kumar Poongan Shanmugam

Software Design Engineer in Test, Terminal Services

Finally, let’s dig into some troubleshooting stuff and learn how we can diagnose licensing problems for terminal servers. Our expert will look at four different troubleshooting scenarios in this next sidebar:

The Licensing Diagnosis tool is now integrated into the Terminal Services Configuration MMC snap-in (TSConfig.msc). This tool on the terminal server, in conjunction with the TS Licensing Manager’s Review Configuration option on the License Server, can be useful in finding problems arising because of a misconfigured TS Licensing setup. The Diagnostic tool does not report all possible problems in all possible scenarios during diagnosis. However, it collates the entire TS Licensing information of Terminal Services and the License Servers at a single place and identifies common licensing configuration errors.

Upon launch of the Licensing Diagnosis tool, it first makes up a list of License Servers that the terminal server can discover via auto-discovery and also those that can be discovered via manual specification by using either the Use The Specified License Servers option in TSConfig.msc (registry-by-pass) or the Use The Specified Terminal Services License Servers Group Policy. It then contacts each License Server in turn to gather its configuration details, such as the activation state, License Key Pack information, relevant Group Policies, and so on. For this to work properly, we need to make sure that the Licensing Diagnosis tool has been launched with credentials that have administrator privileges on the License Servers. If needed, use the Provide Credentials option to specify appropriate credentials for each License Server individually at run time. Then the terminal server’s licensing settings-such as the licensing mode, Group Policies, and so on- are analyzed and compared, together with the License Servers information, to summarize common TS Licensing problems. A summary of diagnostic messages, with the possible resolution steps, is provided by this tool at the end of diagnosis.

We can understand how the tool can be used by considering some sample scenarios.

The terminal server has just been set up, and the licensing mode of the server has remained in Not Yet Configured mode. No other Licensing settings have been done on the TS, and a License Server has not been set up. Within the grace period of 120 days, TS has allowed connection to clients.

Past the grace period, the administrator observes that the clients are no longer able to connect. The administrator launches the diagnostic tool and finds that two diagnostic messages are reported. One message is that the TS mode needs to be configured to either Per-User or Per-Device mode, and the other is that no License Servers have been discovered on the terminal server. The administrator now sets the TS licensing mode to Per-Device mode using TSConfig.msc. (If the TS licensing mode is set up using the Set The Terminal Services Licensing Mode Group Policy, the Licensing tab in TSConfig.msc is disabled.) A License Server is also set up by the administrator in the domain. When rerunning the tool, it now reports that the License Server needs to be activated and License Key Packs of the required TS mode need to be installed on the License Server. And so on.

Case 2: Advanced Diagnosis Cases

The Terminal Services License Server Security Group Policy has been enforced on the domain. The administrator has not added the TS computer name into the Terminal Server Computers local group on the License Server. When the Licensing Diagnosis tool is launched, it displays a diagnostic message indicating that licenses cannot be issued to the given terminal server because of the Group Policy setting. This can be corrected by using the Review Configuration option in TS Licensing Manager to create the TSC group, and TS can be added to the group using the Local Users And Groups MMC snap-in.

If the License Server computer name is not a member of the Terminal Server License Servers local group in the Active Directory Domain Controller of the TS’s domain, peruser licensing and per-user license reporting will not work. In such case, when the Licensing Diagnosis tool is opened on TS, the Per-User Reporting And Tracking field in the License Server Configuration Details panel indicates that per-user tracking is not available. This can be corrected by using the Review Configuration option in TS Licensing Manager to add the License Server computer name into the Terminal Server License Servers group.

Case 3: License Server Discovery Diagnosis on the Terminal Server

During License Server setup, the administrator selected to install the License Server in the Forest Discovery Scope. But as the administrator ran the installation without the required Active Directory privileges, the License Server did not get published in the Active Directory licensing object. When the Licensing Diagnosis tool is launched on the TS, it is unable to discover the License Server. For diagnosing discovery problems, the administrator can initially specify the License Server by manually configuring it in the Use The Specified License Servers option in TSConfig.msc so that the License Server shows up in the diagnostic tool. When rerunning the Licensing Diagnosis tool, the administrator notices that the License Server’s discovery scope is visible in the License Server Configuration Details section. The discovery scope shows up as Domain Scope, instead of Forest Scope. This can be corrected by using the Review Configuration option in TS Licensing Manager and exercising the Change Scope option to set the License Server discovery scope to Forest Scope.

Case 4: Licensing Mode Mismatch Diagnosis

The terminal server is configured in Per-Device licensing mode, but the administrator has installed Per-User licenses on the License Server. On launching the Licensing Diagnosis tool, a diagnostic message shows that the appropriate type of licenses are not installed on the License Server, indicating a potential mode mismatch problem.

–Harish Kumar Poongan Shanmugam

Software Design Engineer in Test, Terminal Services

For a look at how one can use WMI to manage licensing for terminal servers, see the “Terminal Services WMI Provider” section upcoming.