Licensing

Licensing

In the deployment of a terminal server, the question of licensing policy is far from trivial. In corporate environments in particular, terminal servers have hundreds or even thousands of users. For this reason, it is very important to examine licensing in detail.

Types of Licensing

Several types of licenses must be obtained for normal operation of Windows Server 2003 with Terminal Services activated in application server mode. They are:

  • Windows Server 2003 Server License

  • Windows Server 2003 Client Access License (CAL)

  • Windows Server 2003 Terminal Server Client Access License (TS-CAL)

    Note?

    This section does not discuss licenses for applications (for example, Microsoft Office, CorelDRAW, Acrobat Reader, or Oracle Client). These licenses must be bought separately, and they might be based on completely different models.

Windows Server 2003 Server License

When you acquire the server operating system, the Windows Server 2003 Server license is included. It allows you to install and operate Windows Server 2003 and comes with a unique license key. You will be asked for this key when installing the operating system.

Windows Server 2003 Client Access License

Every computer or Windows terminal that establishes a connection to Windows Server 2003 requires the Windows Server 2003 Client Access License. Client access licenses permit clients to use the file, print, or other network services provided by Windows Server 2003. In the past, these licenses were offered as either Per Client or Per Server licenses.

Under the new Windows Server 2003, the Per Client licenses were renamed and can now be purchased Per Device or Per User. A Per User license does not include concurrent users but named users. This means, for instance, that a company does not have to pay license fees for each client that employees use (for example, for access to the intranet). A company in which several employees share a device can also save money by using the Per Device license.

Note?

As mentioned earlier, a client can still access any Windows Server 2003 on the common network with a Per Device or Per User license.

Though seldom used in companies now, a Per Server Client Access License still requires the number of licenses to equal the maximum number of simultaneous server connections. Each device or user can access the server, but the number of simultaneous connections cannot exceed the number of installed Per Server licenses.

Windows Server 2003 Terminal Server Client Access License

Client computers or Windows terminals with a Windows Server 2003 Terminal Server Client Access License are allowed to access Windows Server 2003 Terminal Services. For example, this license is needed to launch a terminal session and execute Windows applications on the server.

Similar to the Client Access License, the Terminal Server Client Access License is available Per Device or Per User. There are no plans to offer a Per Server License.

  • As under Windows 2000, a Per Device license is associated with a terminal device. Each terminal using Terminal Services must have such a license.

  • A Per User license grants a known user an access license for any terminal device. The user can then access the company’s terminal servers from his or her office workstation or handheld device, from a notebook on the road, or from a personal computer from home.

It is possible to mix licensing modes so that both types of licensing are provided on a Terminal Services license server. The home version of the Terminal Server Client Access License that was available under Windows 2000 is no longer offered under Windows Server 2003 because Per User licensing rendered that license superfluous.

Note?

At the time of this writing, Microsoft was not offering Per User licenses for Terminal Services, although Windows Server 2003 is technically capable of handling them. However, all available information available indicates that this licensing mode will be available with a future version of Windows Server 2003.

Operating System Equivalency

Operating system equivalency as it existed under Windows 2000 Server has been scaled back under Windows Server 2003. Under Windows 2000, operating system equivalency allowed clients with the same or with a higher version than the server legal access to Terminal Services without a Terminal Server Client Access License. For example, this applied to combinations of Windows 2000 Professional with Windows 2000 Server or Windows XP with Windows 2000 Server.

Microsoft offers its customers the following options for Windows Server 2003:

  • Customers who signed a Platform or Enterprise Operating System Agreement (EA), or an Upgrade Advantage (UA) or a Software Assurance (SA) agreement, with Microsoft, will receive one Windows Server 2003 Terminal Server Client Access License including Software Assurance for each licensed Windows desktop. As a precondition, the Windows desktops must be covered by these agreements at the time of Windows Server 2003 release. Windows desktop licenses purchased subsequently do not include the Terminal Server Client Access license.

  • Customers holding licenses for Windows XP Professional without upgrade rights (by EA, UA, or SA) at the time of Windows Server 2003 release receive for each of their licenses one Windows Server 2003 Terminal Server Client Access License. This license will exclude upgrade rights that would result from an ES, UA, or SA.

If this licensing model is retained, a Terminal Server Client Access License will have to be obtained for each client device. The only alternative would then be the Per User license.

External Connector License

Another licensing change under Windows Server 2003 relates to the access licenses for anonymous users outside the licensing company. By means of an external connector license (EC), a company can grant external users access to server resources. External users are employees that are not employed by the licensee or associated companies.

This type of license is purchased per accessible server. The external connector license is valid for both server services (Client Access License) and terminal server services (Terminal Server Client Access License). If Windows 2000 Internet connector licenses or terminal server Internet connector licenses are present, they will be replaced by the corresponding external connector licenses.

Note?

Companies can purchase normal licenses for users outside of the company. It can, for example, be more economical to purchase Windows CALs or TS CALs instead of an external connector license for users requiring access to server or terminal server services on the company’s network.

Licensing Method

Terminal Services has its own licensing method for clients logging on to terminal servers. This method differs from the licensing method for “normal” Windows Servers 2003 clients. Clients can log on to a terminal server in application server mode only after they receive a valid license from a license server. If Terminal Services is running in remote desktop mode, two simultaneous logon connections are permitted, and no license server is required.

To use Terminal Services in application server mode, you need an activated license server. After the license server is activated, you can safely install client licenses and assign them to the clients. The first time an unlicensed client attempts to log on to a terminal server, the server contacts the license server and requests a license for this client. (See also the section “License Servers” later in this chapter.) Before licenses can be issued for clients, a licensing server must be installed on the network. This license server must have been activated by Microsoft Clearinghouse and provides encrypted key packages for the client licenses.

Whereas installing the license server on a domain controller was recommended under Windows 2000, this service can now be installed on each member server of a domain or workgroup. The terminal server license server can supply licenses either to its domain or the entire organization. The latter is naturally recommended only if the Active Directory directory service structure has more than one domain.

Microsoft Clearinghouse

Microsoft Clearinghouse is the Microsoft-managed database used to activate license servers and to install, upon request, key packages for the client licenses on license servers. The Clearinghouse stores data on all activated license servers and all key packages issued. In this way, it is easy to track which client licenses are used in an organization that uses terminal servers and to ensure that the organization has purchased enough client licenses. Microsoft Clearinghouse is accessed via Terminal Services licensing.

Click To expand
Figure 2-8: The licensing model for terminal servers under Windows Server 2003.

License Servers

The license server stores all client licenses available in the domain or on the entire network and tracks licenses issued to clients. Before a client receives a license, the terminal server must be able to connect to the activated license server. One license server can support several terminal servers simultaneously.

As an option, the group policies allow controlling the access of individual terminal servers to the licensing service. In this case, only members of the terminal server computer local domain security group can obtain licenses from the terminal server license server.

Installation

When setting up Windows Server 2003, you can optionally install a license server on the computer. However, you can also install it later via Add/Remove Windows Component in the dialog box under Start\Control Panel\Add or Remove Programs.

Click To expand
Figure 2-9: Later installation of Terminal Services licensing.

Because Terminal Services should be installed on member servers specifically set up for these services, it might be better to put the license server on an independent computer. However, if you use the terminal server as an independent server, or if this is the only Windows Server 2003 in a Windows NT 4.0 domain, you can install the terminal server licensing service on the same server.

If you plan to migrate a workgroup or Windows NT 4.0 domain to an active directory domain at a later time, it is recommended that you install the license server on a computer that will also be migrated to that new domain.

Click To expand
Figure 2-10: Determining the role of a license server.

A license server is installed by default as a domain license server and is the best option if each domain is to have its own license server. It is also possible to install a license server as a company license server. This type of license server is recommended if several domains need to be managed.

A terminal server can grant nonlicensed clients a connection for 120 days. After this time, the terminal server will not allow these clients to connect unless a license server is found to provide a client license. A license server that is not yet activated can issue temporary licenses valid for 90 days.

After installation, you can find the license server’s administration interface under Start\Administrative Tools\Terminal Server Licensing.

Click To expand
Figure 2-11: Terminal server licensing right after installation and before activation.

Activation

Before a license server can issue permanent licenses for Terminal Services clients, it must first be activated by Microsoft via Terminal Services licensing. Upon activation, Microsoft issues a digital certificate for a license server. This certificate is used to verify the ownership rights and the identity of the server. A license server with this certificate can conduct transactions with Microsoft and receive client licenses for the terminal servers. There are three ways to activate a license server: automatically over the Internet, manually via a Web browser, or over the telephone. As soon as the license server is activated, it confirms the server’s identity and enables it to receive licenses and issue them to clients.

Click To expand
Figure 2-12: Activation wizard for Windows Server 2003.

After license server activation, key packages for client licenses can be installed on the server. These packages allow the server to issue licenses upon request by terminal servers on the network. The corresponding key packages are stored and tracked on the license server. Microsoft installs key packages for client licenses using the Terminal Services licensing procedure. When Microsoft receives a request to install client licenses, it issues the requested number of key packages to the license server. You can use the same methods to install client licenses as you do to activate a license server.

Under Windows Server 2003, the way access licenses are granted depends on the type of license. The following method is used for a Per Device license. When the client licenses are installed on a license server, the server can issue licenses. When a client attempts to log on to a terminal server, the terminal server recognizes that the client does not have a license. It looks for a license server that can issue a new license to the client. For the first session, the new license is a temporary Per Device license.

If the client logs on again after terminating the first session, an attempt is made to convert the temporary license into a full Per Device license. If no Per Device licenses are available, a temporary license valid for 120 days is issued to the client. After this time, the client will no longer be able to log on to a terminal server.

An issued client license is permanently assigned to a certain computer or terminal and cannot be transferred to another device without manual intervention. A client license is a digitally signed certificate that is stored locally on the client.

The following rule was valid under Windows 2000 up to Service Pack 3: If the certificate was lost, possibly due to hard drive damage, the license could be reactivated only by Microsoft and would be reissued to the client after the system was reinstalled. Windows 2000 Service Pack 3 includes a new function that is valid for Windows Server 2003 terminal server licensing. It is a significant improvement over the licensing process described earlier. If a Terminal Server Client Access License is issued as a Per Device license, it is valid for a random period between 52 and 89 days. Its validity is verified upon each connection. If the license is due to expire within the following 7 days, it is renewed for another period ranging from 52 to 89 days. If there is no license server available when the client logs on, the client can still connect to the terminal server.

If a client does not log on again during the valid period, the license is returned to the pool of available licenses on the license server. This eliminates the danger of losing licenses because of hard drive damage, reinstallation of clients, or test connections to the terminal server. You will find a more detailed description of this procedure at http://support.microsoft.com/ under Knowledge Base article 287687, “Before a license server can issue permanent licenses for Terminal Services.”