Embed Size (px)
Citation preview
1 | P a g e
Changes to Windows 2008 terminal Server Licensing
Abstract
This document provides information of changes to Terminal Server Licensing in Windows 2008,
the goal of this document is to provide overview of all changes with respect to Windows 2008
Terminal Server Licensing.
2 | P a g e
Contents:
1. Per Device Client Access Licenses Revocation 2. Per User Client Access Tracking and Reporting: 3. License Database Files 4. Windows 2008 Client Access License Support
5. Grace Period based on Operating System
6. Reviewing Configuration of Terminal License Server
7. Improvements to License Manager
8. WMI Providers for Administration
9. Manually publishing and Un-Publishing Terminal Server license Server
10. Licensing Diagnosis Problems and Resolutions
3 | P a g e
Per Device CAL Revocation:
Earlier, it was not possible to revoke a license issued to a client. Issued licenses would automatically expire after a random period between 52-89 days and become part of the available license pool. Some customers wanted to have the ability to revoke a license and make it available immediately. The typical scenario is where a particular machine would no longer be used (e.g.: a machine was getting formatted) and the license had to be made available immediately to another client without waiting for the expiration period. To address this, we now have support for revoking a license. Through the License Manager UI or the new WMI providers in Windows 2008, you can select a per-device CAL that was issued to a particular client machine and choose to revoke it.
Note that you can only revoke 20% or 1 of a specific version of a CAL at a time. So if there were 100 Windows Server 2003 per-device CALs installed, you could revoke only 20 of them at a time. Also note that revocation support is currently only for per-device CALs
4 | P a g e
Per User Client Access Tracking and Reporting:
Prior to Windows 2008, per-user licenses were not issued. Thus there was no easy way to track if the usage of per-user licenses was in line with the EULA and the licensing agreements. With Windows 2008, you can easily track usage and create reports of how many per-user licenses were issued. Reports can be accessed both through the License Manager UI as well as the WMI providers.
Note that in Windows 2008, per-user licenses are only tracked and not enforced
Track the Issuance of Terminal Services Per User Client Access Licenses
1. Click Create Report. The report will be created and a message will appear to confirm that the report was successfully created.
Click OK to close the message
2. The report that you created will appear in the Reports section under the node for the license server. The report provides the following information:
Date and time the report was created
The scope of the report (e.g., Domain, OU=Sales, or All trusted domains)
The number of TS Per User CALs that are installed on the license server
The number of TS Per User CALs that have been issued by the license server specific to the scope of the report
5 | P a g e
Attributes on Domain Controllers:
Win2K3 Domain Controller: Terminal Server Win2K8 Domain Controller: msTSManagingLS msTSLicenseVersion msTSExpireDate
6 | P a g e
License Database Files
Changes to database files to Windows 2008
Windows Server 2008 Windows Server 2003 Purpose
edb.chk edb.chk This is a checkpoint file used to determine which transactions in the transaction log (edb.log) must still be committed to the licensing database. This file is updated each time a transaction is committed to disk and is used to quickly recover the integrity of the licensing database if the database was not shut down correctly.
edb.log edb.log Current transaction log for the Terminal Service Licensing database (TLSLic.edb). This file will grow to 5 MB in size, at which time it will be renamed to edbxxxxx.log, starting with edb00001.log and incrementing each time.
edbres00001.jrs
edbres00002.jrs
res1.log
res2.log
Reserve transaction log files that serve as a drive space placeholder. There are two of these created, typically 5 MB in size, and are only used in the event the drive hosting the transaction logs runs out of space. These files are used to facilitate a clean shutdown of the database.
In Windows Server 2003, these files were simply res1.log and res2.log.
edbtmp.log --- This is used as a template transaction log file, which is used when the edb.log file reaches 5 MB in size and is renamed. While edb.log is being renamed, edbtmp.log begins accumulating new transactions, and is then renamed to edb.log once the existing edb.log file has been renamed.
Once edbtmp.log is renamed to edb.log, a new empty edbtmp.log file will be created. There was no Windows Server 2003 equivalent.
TLSLic.edb TLSLic.edb This is the actual Terminal Services Licensing database file.
tmp.edb tmp.edb This is temporary workspace for processing transactions.
7 | P a g e
Windows 2008 Client Access License Support:
Operating System Per-User CAL Per Device
CAL
Internet/External Connector
License
Temporary CAL
“Built-In” CAL
Windows Server 2008
X X - X -
Windows Server 2003
X X X - -
Windows 2000 Server
- X X - X
Grace Period based on Operating System:
The Length of the Grace Period is based on the operating system running on the Terminal
Server.
Operating system running on the terminal server Grace period
Windows Server 2008: 120 days
Windows Server 2003 R2: 120 days
Windows Server 2003: 120 days
Windows 2000: 90 days
8 | P a g e
Reviewing Configuration of Terminal License Server and Creating Per
User License Usage Report:
To create a per user license usage report
1. Open TS Licensing Manager (LicMgr.Exe)
2. Right-click the license server name for which you want to generate the report, and then select the "Create Report" and "Per User CAL Usage …" options.
9 | P a g e
Managing Reports using WMI Providers:
Windows Server 2008 also provides support for managing Per User usage reports using WMI providers. Now, an administrator can write a simple script to generate a usage report for a given scope. Within the script, he can take further action based on the reports. For example, if the number of issued licenses exceeds the number of installed licenses, the script can send an e-mail to the administrator.
Reports generated using WMI are displayed in the TS Licensing Manager, and reports deleted using WMI are also deleted from the TS Licensing Manager.
The following WMI classes are used to generate reports.
Win32_TSLicenseReport:
Windows Server 2008 has a WMI class named "Win32_TSLicenseReport" for managing per user license reports.
This WMI class provides three different interfaces to manage reports:
i. GenerateReport: This interface is used for generating per user license usage reports. Reports can be generated across three different scopes as discussed above. This is a static function.
The syntax of the API is
uint32 GenerateReport ( [in] uint32 ScopeType,
[in] string ScopeValue,
[out] string FileName);
Where
ScopeType: Defines the scope for which the report needs to be generated
1 -> Domain 2 -> Organizational Unit (OU) 3 -> All trusted Domains
ScopeValue: This is used only when ScopeType is "Organizational Unit (OU)",
It should contain the name of the OU for which you want to generate the report in the format "OU=OUName"
10 | P a g e
i. FileName: This is an output parameter containing the file name of the report generated. This file name can be used to perform other operations on the report like Delete and FetchReport.
ii. DeleteReport: This interface is used to delete an existing per user usage report. This is not a static function and must be called from the per user report object.
The syntax of the API is
uint32 DeleteReport ( )
iii. FetchReportEntries: This interface is used to get the user name and other information from a per user usage report. This tool is not a static function and must be called from a per user usage report object.
The syntax of the API is
uint32 FetchReportEntries ( [in] uint32 StartIndex,
[in,out] uint32 Count,
[out] Win32_TSLicenseReportEntry ReportEntries[]);
Where
StartIndex -> Index to start from
Count -> Number of values to be fetched;
If you need to fetch all entries then set StartIndex=0 and Count=0.
ReportEntries -> Array of the objects of Win32_TSLicenseReportEntry; These object contains DomainName\UserName, License Expiry date, Product Version
Win32_TSLicenseReportEntry:
The Win32_TSLicenseReportEntry class provides details of the Per User Licenses issued. This class has three members:
User: User to which the license was issued
ExpirationDate: Expiration date of the license
ProductVersion: Per user license version
11 | P a g e
Reviewing Configuration of Terminal License Server
1. Any configuration problems on the Terminal Server side e.g.: Terminal Server running out of grace period
2. A list of License Servers that the Terminal Server will contact for licenses. This list will include both auto-discovered license servers as well as manually configured license servers
3. For each License Server that the Terminal Server can contact, a. A list of configuration problems with the License Server b. Type and number of CALs issued and available on the server
Total number of available CALs the Terminal Server can get from the contactable License Servers.
(Licensing Diagnosis: Problems and Resolution provided in the End of the Document)
12 | P a g e
13 | P a g e
Improvements to License Manager:
Improvements to the License Manager User Interface to easily spot configuration issues
When you are setting up a license server in the Domain or Forest mode, you could run into configuration errors. Currently there is no easy way to find such errors. With the improvements we have made to License Manager, you will be alerted in the License Manager UI if there are errors in your configuration. In addition you will also be pointed to ways in which you can remedy this situation. Examples of configuration errors that the License Manager will help point out are –
a. The License Server is in the Forest mode but not published in Active Directory. This means that the License Server will not be auto-discoverable.
b. The License Server has a Group Policy set to “Restrict Access to specified Terminal Servers”. However, the local group “Terminal Server Computers” is not present.
c. The License Server is in Domain mode but not installed on a Domain Controller. This means that the License Server will not be auto-discoverable.
d. The License Server is not part of the “Terminal Server License Servers” group in Active Directory. This would prevent per-user licensing from working.
WMI Providers for Administration: With Windows 2008, we added support for WMI providers for Terminal Services Licensing. With the use of these WMI providers, administrators can now script tasks that were in the past available only through the UI. Some of the capabilities that the WMI providers expose would help enable support for tasks like periodically monitoring available licenses on the License Server, generating license usage reports, querying for various properties of the License Server etc. Listed below are examples of the tasks that can be accomplished via WMI –
a) Activating, deactivating or reactivating the license server b) Installing license key-packs c) View details of licenses issued by the License Server d) Generate per-user license reports e) View configuration information of the License Server (e.g.: Is the license server
installed on the Domain Controller? Is the Group Policy to prevent upgrades group enabled on the LS? Etc.)
f) Publish or un-publish the License Server in Active Directory g) Revoke licenses
14 | P a g e
Example for revocation of CAL using WMI Providers:
Windows Server 2008 also provides support for revocation of issued CALs using WMI providers. CALs revoked through WMI are reflected in TS Licensing Manager.
The following WMI class is used to revoke issued CALs:
Win32_TSIssuedLicense:
Windows Server 2008 has a WMI class named "Win32_TSIssuedLicense" for managing issued per device CALs. This WMI class provides the following interface to manually revoke issued CALs:
Revoke: This API can be used to manually revoke an issued CAL. This is a not a static function.
The syntax of the API is
uint32 Revoke( [out] uint32 RevokableCals, [out] DATETIME NextRevokeAllowedOn );
Where,
RevokableCals: Number of TS CALs of the same type as the current object that can be revoked.
NextRevokeAllowedOn: Date that the administrator can next try to revoke licenses. This parameter only contains valid data when the Revoke method call has failed because the maximum revoke count has been reached.
Manually publishing and Un-Publishing Terminal Server license Server:
Terminal Servers automatically discover TS License Servers available in a deployment by querying the Active Directory Catalog for a list of license servers. This list is in the "TS-Enterprise-License-Server" object in the Catalog Server. Typically, License Servers in "Forest" discovery mode publish themselves to this list during installation. However, this process may go wrong for a variety of reasons, and the publishing step may need to be performed manually. Alternatively, when the discovery mode or deployment location of a License Server changes, it may be necessary to un-publish the LS from the list. In this post, I want to discuss how you can perform these manual operations in Windows Server 2003 License Server.
Manually Publishing a License Server for Forest Discovery
15 | P a g e
Typical problems that cause the failure of publishing the TS License Server are:
If during the installation of the License Server, Active Directory was down and the License Server was not published in the Catalog.
If the License Server was installed in Forest mode, but without Enterprise Administrator Credentials, it will not be published in the Catalog.
In these cases, the License Server may need to be manually published. You may also have to create the TS-Enterprise-License-Server object if it does not yet exist in the Catalog Server.
Publishing a License Server
We can manually publish the Terminal Server License Server, using one of the following two methods,
Using "Active Directory Sites and Services":
1. Open the "Active Directory Sites and Services" snapin; Start -> Programs -> Administrative tools -> "Active Directory Sites and Services"
2. Select the Site in which you wish to publish the Terminal Server License Server 3. Open the "TS-Enterprise-License-Server" Object. If the "TS-Enterprise-License-Server"
object is does not exist, you may have to create it. See below. 4. Under the "Licensing Setting" tab click on the "Change" button 5. Add the License Server machine name and click OK
Using ADSI Edit tool:
1. Open the ADSI* Edit tool 2. Select the "CN=Configuration" node 3. Select the "CN=Sites" 4. Open the node of the site where you wish to publish the License Server 5. Open the "CN= TS-Enterprise-License-Server" Object in the right hand panel of the UI. If
the "CN=TS-Enterprise-License-Server" Object is not present use "Creating the "TS-Enterprise-License-Server" Object in the Catalog" to create the "TS-Enterprise-License-Server" Object
6. Select the "siteServer" Attribute and click "Edit" 7. Give the License Server machine name in the LDAP form (for example
"CN=LSMachine,CN=Computers,DC=example,DC=com") and click "Add"
16 | P a g e
Creating the "TS-Enterprise-License-Server" Object in the Catalog
1. Open ADSI Edit tool 2. Select the "CN=Configuration" node 3. Select the "CN=Sites" node 4. Open the node of the site where you wish to create the "TS-Enterprise-License-Server"
object. If there is no such node then there is no License Server installed in "Enterprise mode" in that particular site
5. Action -> New -> Object 6. Select the "licensingSiteSettings" class 7. Give the Value as "TS-Enterprise-License-Server" 8. Click Finish
Manually Un-Publishing a License Server
Typical scenarios that may require manually un-publishing License Server:
While the License Server was being uninstalled, Active Directory was down and License Server could not be un-published from the Catalog.
If you uninstalled the License Server, but without Enterprise Administrator Credentials, in that case also License Server won't be Un-Published from the Catalog.
If License Server machine is being moved from domain to workgroup, then License Server scope automatically changes to workgroup mode. It needs to be un-published manually from the Catalog.
In all of these cases, the entry that is left behind in the TS-Enterprise-License-Server object would cause the TS servers to still look for the License Server, even though the LS server may no longer be available or may have moved to a different network. This may lead problems in license discovery and cause the TS servers to not find the type of CAL needed for a particular user. Therefore, it is a good idea to keep the list as current as possible by manually un-publishing a removed License server from the list in the TS-Enterprise-License-Server object.
Un-Publishing a License Server
We can manually Un-Publish Terminal Server License Server using ADSI Edit tool.
Open ADSI Edit tool* Select the "CN=Configuration" node Again select the "CN=Sites" Open the node of the site, where one wishes to publish the License Server Open the "CN= TS-Enterprise-License-Server" Object in right hand panel of the UI Select "siteServer" Attribute and click "Edit" Select the License Server name under the heading "Value" and click "Remove"
17 | P a g e
Licensing Diagnosis: Problems and Resolutions
Licensing Diagnosis is capable of diagnosing potential problems in a typical terminal server/ license server deployment. Here is the list of the potential problems along with their suggested resolutions.
ISSUES WITH DISCOVERY
Problem 1: The terminal server has not discovered any license servers. If the grace period for the terminal server has expired, connections to the terminal server will be denied unless a license server is configured for the terminal server.
Resolution 1: Configure a license server for the terminal server. If you have an existing license server, use the Terminal Services Configuration tool to specify that license server for the terminal server. Otherwise, install TS Licensing on a computer on your network.
If you have configured a license server for the terminal server but the license server does not appear in the list of discovered license servers, use TS Licensing Manager to review the configuration of the license server. TS Licensing Manager may be launched using the ‘Start TS Licensing manager' action item available in the action pane for Licensing Diagnosis tool.
Problem 2: License server <Server Name> is not available. This could be caused by network connectivity problems, the Terminal Services Licensing service is stopped on the license server, or TS Licensing is no longer installed on the computer.
Resolution 2: Make sure you have network connectivity between the terminal server and the license server. Also check that the Terminal Services Licensing service is started on the license server. If TS Licensing is no longer installed on the computer, ensure that the license server is not manually specified and/or is no longer published in Active Directory Domain Services.
18 | P a g e
ISSUES WITH CREDENTIALS
Problem 3: The Terminal Services Configuration tool is running with local account credentials. Licensing Diagnosis will not be able to discover domain or forest license servers automatically and the Total Number of TS client access licenses available value may be inaccurate.
Resolution 3: For best results with Licensing Diagnosis, use the Terminal Services Configuration tool with domain account credentials.
Problem 4: To identify possible licensing issues, administrator credentials for license server <Server Name> are required.
Resolution 4: Provide administrator credentials for the Terminal Services license server. To provide credentials use the ‘Provide Credentials' action item in the action pane for Licensing Diagnosis.
ISSUES WITH CONFIGURATION
Problem 5: License server <Server Name> cannot issue TS CALs to the terminal server because of a version incompatibility.
Resolution 5: Check that the version of the license server supports issuing TS CALs to the terminal server. The license server must be running the same (or a more recent) version of the operating system as the terminal server. You might need to upgrade your license server to an appropriate operating system or install a new license server with the appropriate operating system.
Problem 6: License server <Server Name> is not activated.
Resolution 6: Use TS Licensing Manager to activate and install TS CALs on the license server. TS Licensing manager may be launched using the ‘Start TS Licensing manager' action item available in the action pane for the Licensing Diagnosis tool.
Problem 7: License server <Server Name> cannot issue TS CALs to the terminal server because the "License server security group" Group Policy setting is enabled.
Resolution 7: Add the computer account for the terminal server to the Terminal Server Computers group on the license server.
Problem 8: The licensing mode for the terminal server is not configured.
Resolution 8: Set the licensing mode on the terminal server to either Per User or Per Device by using Terminal Services Configuration tool. Use TS Licensing Manager to install the corresponding TS CALs on the license server.
19 | P a g e
Problem 9: The terminal server is in <Per Device or Per User> licensing mode, but license server <Server Name> does not have any <Terminal Server Version> <Per Device or Per User> TS CALs installed.
Resolution 9: Use TS Licensing Manager to install the appropriate TS CALs on the license server. If the license server has installed licenses of the other mode, changing the licensing mode for the terminal server may also resolve the issue. To change the licensing mode, use the Terminal Services Configuration tool.
Problem 10: The terminal server is in <Per Device or Per User> licensing mode, but license server <Server Name> does not have any <Terminal Server Version><Per Device or Per User> TS CALs available. (Note: The license server may have CALs installed but these CALs are currently not available for issuance.)
Resolution 10: Use TS Licensing Manager to install the appropriate TS CALs on the license server. TS Licensing manager may be launched using the ‘Start TS Licensing manager' action item available in the action pane for Licensing Diagnosis tool.
