Note:
If the license server is set up on the domain controller, then the Network Service account must also be considered a member from the Terminal Server License Servers security group.
>> -->
If you'd wish to read the earlier article in this sequence please go to Modifications to Windows Server 2008 Terminal Server Licensing (Component 1).
This could be the 2nd portion of a two-part article sequence on the alterations to terminal server licensing in Windows Server 2008. In component 1, I mentioned some modifications to the set up method, licensing database and discovery process. In this component, Ill cover some interesting alterations in per-user licensing, CAL reporting, revocation and improvements in the management interface.
CAL Allocation Process
The CAL allocation and tracking approach has evolved over the years as Microsoft has matured the product. Originally, with Windows NT Server 4.0 Terminal Server Edition, Terminal Server CALs were never tracked and licensing enforcement was purely around the honor system.
When Windows 2000 Server arrived, Microsoft began enforcing Terminal Services licensing by requiring CALs for every client that was connecting from a system that pre-dated Windows 2000. However, for those running Windows 2000 or later, they were considered to have equal or greater functionality in the native client OS, so no further purchase was necessary.
Windows Server 2003 Terminal Services brought on a paradigm shift in licensing methodology, requiring each and every client that connected to the Terminal Server to have a TS CAL regardless of whether the client operating system was in the same or newer version. Microsoft considered the Terminal Services capabilities of Server 2003 to be considered a separate licensable technology. At the same time, Microsoft decided to augment their licensing offering so customers could tie a CAL to a user account, rather than to a specific machine, and decided to offer organizations a choice of licensing for Terminal Server clients per-device or per-user. However, the per-user CAL was introduced late in the development method and there wasnt sufficient time to integrate a tracking mechanism, so CALs were simply not tracked.
Windows Server 2008 is supposed to change this by enforcing per-user CAL allocation and use. However, as of Release Candidate 0 (RC0), per-user allocation is tracked (sort of), but not enforced. As connections are accepted by the terminal server, the license server updates the user account in Active Directory with the CAL information, but CALs are never decremented from the licensing database. It appears that the final release will remain this way, although this may change in the final product release.
Licensing type is determined by the licensing mode in the terminal server, just as it was in Windows Server 2003 and likewise, no temporary CALs or permanent per-user CALs are issued to clients when connecting to a terminal server that is in per-user mode. In fact, the entire CAL allocation method for both per-user mode and per-device mode terminal servers remains the same as Windows Server 2003.
The only difference is that per-user CALs are registered in Active Directory with the user account, and while Windows Server 2008 still doesnt enforce per-user CAL allocations, it does allow you to generate reports on CAL usage based on this information.
CAL Usage Reporting
Even though per-user CAL allocation is not tracked in the licensing database, reporting is possible because in the involvement of Active Directory. When a user logs on to a Windows Server 2008 terminal server that is in per-user mode,
microsoft office 2007,
It Security Professionals Jobs - Browse Keywords Job Search Made Easy by Juju, the terminal server checks in with the license server, as it did in Windows Server 2003. The license server then reaches into Active Directory and modifies terminalServer attribute around the user account to add the CAL. The rights to modify the user account are granted through the license servers membership in the Terminal Server License Servers protection group, so the license server ought to remain a member of this group for reporting to work. Furthermore, if your license server will be responsible for issuing and tracking CALs in multiple Active Directory domains, then the license server should be a member of the Terminal Server License Servers safety group in each of those domains in order to update the user account attribute.
Per-user CAL usage reporting is only supported when both the terminal server and the license server are both a member of an Active Directory domain, since the CAL becomes associated with the user account object. Active Directory can be based either on Windows Server 2003 or Windows Server 2008; there are no schema extensions required for per-CAL usage tracking. Because Active Directory is a requirement, per-user CAL usage reporting is not supported where Workgroup-mode license servers are deployed.
The reporting method itself is either performed through the TS Licensing Manager program or via WMI scripting, with the former only supported for per-user CALs. Per-device CAL reporting should be performed using WMI. Reports are generated using real-time data retrieved from Active Directory and stored in the LServer\Reports directory as .DAT files. Although there isnt much that can be done with the .DAT files directly, using the TS Licensing interface, the data in these files can be extracted and saved as text files for viewing.
LSREPORT is a command-line utility that accompanied the Windows Server 2003 resource kit and was used to export per-device CAL data from the licensing database into a tab-delimited text file. Microsoft reports that LSREPORT is no longer supported in Windows Server 2008; however as of RC0 it still appears to work without issues.
Creating a Report
In TS Licensing Manager, right-click Reports from the hierarchy around the left, then select Generate Reports, Per User CAL Usage. On the Create Per User CAL Usage Report screen, select 1 in the following options:
Clicking Create Report will generate the report and create a record in the TS Licensing Manager interface. This record is actually pointing to a .DAT file in the LServer\Reports directory on the license server. To view the data in the report, right-click around the record in TS License Manager and select Save Report. This will save the data as a text file that can viewed in Notepad.
The report output isnt very detailed, but it does provide a list of CALs that have been issued to user accounts. The information is obtained by querying Active Directory user accounts,
Windows 7 Sale, looking for a value in the licenseServers attribute that matches the license servers signature. The following is a sample report output.
Figure 1
Management Interface Changes
Terminal Services Licensing Manager is still a self-contained executable (LicMgr.exe), rather than an MMC snap-in and there is no word as to whether this will end up as an MMC snap-in in the final release of Windows Server 2008. However, TSAdmin.exe, the Terminal Server Administrator program from Windows Server 2003 and earlier, is no longer and has been replaced by a new MMC snap-in.
There are two interesting additions to the functionality from the TS Licensing Manager interface. First is a new sanity check option called Review Configuration (figure 2). This makes sure that any obvious missteps in the configuration or set up of license server components are brought to light, such as neglecting to activate the license server,
Office Professional 2010, add CALs or potential issues regarding discoverability.
Figure 2
The other interesting addition will be the ability to change the license servers discovery scope. Previously, in Windows Server 2003 you had to alter the registry and manually edit Active Directory using ADSIEDIT to change the scope from Domain to Enterprise (now called Forest) or vice-versa. In Windows Server 2008, you can use the Review Configuration option to change the scope on the fly. Clicking Change Scope in figure 2 will bring up a simple dialog box to change from Domain to Forest or Forest to Domain. The only requirement is you should have Enterprise Admin rights or equivalent permissions in Active Directory to make alterations towards the site object,
Office Professional 2010 Sale, regardless of which direction you are changing the scope; even if changing the scope from Forest to Domain, Enterprise Admin rights are required to remove the license server entry from the site object.
One final management interface change comes not from the license server side, but from the terminal server side. A new Licensing Diagnosis option exists in the Terminal Services Configuration MMC that can help diagnose licensing-related issues. Information that can be gleaned from here includes the licensing mode of the terminal server,
Windows 7, how license server discovery is configured (automatic or static), or any potential issues that may be of concern with discovered license servers, such as the type and version of CALs installed. The Licensing Diagnosis option replaces the LSVIEW resource kit utility from Windows Server 2003 while adding additional functionality.
Revocation of Per-Device CALs
One question that I see often in the support forums is regarding the ability to revoke a CAL from a client machine that either inadvertently received one particular or was replaced by a new system. Unfortunately Windows Server 2003 had no way of revoking CALs once the CAL was issued, the only way to recover it was to wait-out the expiration period or call the Clearinghouse to have the lost CAL reissued. However, in Windows Server 2008, Microsoft listened to your roar of customers and now allows the revocation of per-device CALs
with a small catch.
You may only revoke a maximum of 20% of the particular type (version) of CALs installed on a license server at any given time. This means that should you have (50) Windows Server 2008 Per-Device CALs set up on the license server, you may only revoked (10) at any given time. In addition, each CAL version is treated separately, so in the event you have (50) Windows Server 2008 and (50) Windows Server 2003 CALs set up, only (10) of each type can be revoked at any given time; you cannot revoke (15) of a single type and (5) of another. Also, per-user CALs cannot be revoked as they are never issued in the first place; CAL revocation only applies to per-device CALs.
To perform a CAL revocation, you must be a member with the Administrators group on the license server. To revoke a CAL, simply right-click around the issued CAL record in the TS Licensing Manager tool and select Revoke TS CAL. Revoked CALs are available immediately for issuance to clients. However, remember that CAL revocation is not a substitute for ensuring enough CALs are available to satisfy the license requirements of your organization.
Conclusion
With all the changes to Windows Server 2008 terminal services, its a sure bet that customers will be rolling out new servers to take advantage of the new features and functionality. Licensing has always been an area of confusion, so with some careful planning and an understanding in the approach, your terminal server environment can run trouble free (well, at least from a licensing perspective). As always, thanks for reading.
If you'd probably like to read the prior write-up on this sequence make sure you visit Adjustments to Windows Server 2008 Terminal Server Licensing (Part one).