Terminal Server Licensing - PowerPoint PPT Presentation

1 / 70

About This Presentation

Title:

Terminal Server Licensing

Description:

... xml.rels ppt/s/_rels/26.xml.rels ppt/s/_rels/20.xml.rels ppt ... xml ppt/media/image5.jpeg ppt/media/image13.png ppt/media/image1.png ppt/theme ... – PowerPoint PPT presentation

Number of Views:302

Avg rating:3.0/5.0

Slides: 71

Provided by: dat62

Category:

more less

Transcript and Presenter's Notes

Title: Terminal Server Licensing

1
Terminal Server Licensing

Michael Burke

2
How Many Feel Like This ?
3
Or Perhaps This ?
4
Or Maybe This ?
5
The Importance of Licensing
6
Lack of Understanding Can Lead To
7
Or This Guy Coming for You
8
Whats in a License?
9
Whats in a License?

Server Licenses
One per server instance
Client Access Licenses (CALs)
File and Print
Terminal Server

Application Licenses
Office, Adobe, etc.
Add-on Licenses
Citrix, RTO, Tricerat, etc.

10
Terminal Server CALs

Temporary Terminal Server (TS) CAL
Windows Server 2008 Device TS CAL
Windows Server 2008 User TS CAL
Windows Server 2003 Device TS CAL
Windows Server 2003 User TS CAL
Windows Server 2003 External TS Connector
Windows 2000 TS CAL
Windows 2000 TS Internet Connector License
Windows 2000 Built-in TS CAL

11
Still Here ?
12
Terminal Server CALs

Temporary Terminal Server (TS) CAL
Windows Server 2008 Device TS CAL
Windows Server 2008 User TS CAL
Windows Server 2003 Device TS CAL
Windows Server 2003 User TS CAL
Windows Server 2003 External TS Connector
Windows 2000 TS CAL
Windows 2000 TS Internet Connector License
Windows 2000 Built-in TS CAL

13
Terminal Server CALs

Temporary Terminal Server (TS) CAL
Windows Server Device TS CAL
Windows Server User TS CAL

14
Types of Terminal Server CALs

Temporary CAL
Per-Device CAL
Per-User CAL

First CAL issued
Good for 90 days
Only get one

15
Types of Terminal Server CALs

Temporary CAL
Per-Device CAL
Per-User CAL

Licensed for every known device
Expiring CAL (variable 52-89 days)
Expired licenses returned to the pool every 24
hours

16
Types of Terminal Server CALs

Temporary CAL
Per-Device CAL
Per-User CAL

Licensed for every known user
Still not enforced
Can be tracked

No concurrent use model!
17
Per-Device or Per-User ?

Per-User
More devices than users
Users that use different PCs
Users that connect from multiple locations

Per-Device
More users than devices
PCs shared by multiple users
Swing shifts (help desk)

Whichever is Cheaper!
18
Because its all about this guy
19
Typical Licensing Requirements

Windows Server 2008/2003
Windows Server License per Terminal Server
File and Print CAL for each client user/device
Terminal Server CAL for each client user/device
Application Licenses for each user/instance

20
TS Licensing Infrastructure
Client
Microsoft Clearinghouse
TS License Server
Terminal Servers
21
License Server Fun Facts

At least one activated with TS CALs installed
Lightweight no need for dedicated role
Only active when in use
lt 20 MB RAM
5 MB for every 6000 licenses issued
Can reside on any server

22
License Server Installation

Install the TS Licensing Role on the server
Activate the License Server with the Microsoft
Clearinghouse
Install per-user and/or per-device CALs on the
License Server
Configure your terminal servers to discover/use
the License Server

23
License Server Installation

WS08 Installed as a Role
Choose a Discovery Scope
Workgroup
Domain or Forest
Location of license database
NOT on a compressed drive

24
TS Licensing Tool

Activate/deactivate license servers
Install CAL packs
Manage licenses
Revoke CALs

25
License Service Activation

Activated by the Microsoft Clearinghouse
Obtains certificates from Microsoft (X.509)
Validates the identity of the license server
Allows terminal servers to decode CALs
Stored in HKLM\Software\Microsoft\
TermServLicensing\ Certificates

Microsoft Clearinghouse
TS License Server
26
License Server Discovery

Two ways to locate
Automatically
With a little help

27
TS Licensing Grace Period

120 Days
Terminal Servers accept connections during grace
period
Ends upon issuance of a permanent CAL

28
Automatic Discovery

Workgroup mode Same local subnet as the terminal
server
Domain mode Installed on a domain controller
Forest mode (formerly known as Enterprise mode)
Same Active Directory site
License server and terminal server on same
computer

29
Automatic Discovery

Terminal Servers in a
Workgroup Every 15 minutes
Domain Every 60 seconds
If all known license servers are unreachable
First contact obtains certificates to check CALs

TS License Server
Terminal Servers
30
Configuring Discovery

During Terminal Services installation
Afterwards in Terminal Server Configuration MMC
Group Policy
WMI

31
Upon Successful Discovery

Once found, added to the following key
EnterpriseServerMulti (Forest mode)
DomainLicenseServerMulti (Domain mode)
In the following location
WS03 HKLM\Software\Microsoft\MSLicensing\
Parameters\
WS08 HKLM\System\CurrentControlSet\Control\
Terminal Server\RCM\
Checked periodically

32
Per-Device Discovery Flowchart
Available on MsTerminalServices.org
33
Terminal Server Licensing Modes

Per-Device
Per-Device CALs issued only
Strict enforcement
All devices need one
Per-User
Per-User CALs
Not enforced
Configured in TS Configuration or GPO

34
CAL Allocation Process

Per-Device
Client connects to TS
TS requests license from LS
License issued and passed to TS
TS passed license to client
Client stores license in registry

35
CAL Allocation Process

First logon
Offers HW ID from registry
HKLM\Software\Microsoft\MSLicensing\HardwareID
Issued a temp CAL
Upon successful logon, TS marks CAL validated
Second logon
Attempt upgrade to permanent CAL
Subsequent logons
Present permanent to terminal server
Terminal server validates CAL

36
CAL Allocation Process

Per-User
Client connects to TS
TS checks license server availability
If found, accepts the connection

37
CAL Allocation Process

No CAL assignment takes place
Once grace period expires LS must be reachable
Not enforced

38
Per-Device Flowchart
Available on MsTerminalServices.org
39
Controlling CAL Allocation

By default, a license server can issue CALs to
any license server
Must enable the License Servers security group in
GPO
Populate the Terminal Services Computers group on
the license server

40
Preventing CAL Upgrades

Down-level client can be issued an up-level CAL
WS03 client obtains a WS08 CAL
Prevent this with GPO
Computer Configuration\Administrative
Templates\Windows Components\Terminal
Services\Licensing
Enable Prevent License Upgrade

41
Split Licensing Model
WS03
WS03 License Server
WS03 Terminal Servers
WS08
WS08 License Server
WS08 Terminal Servers
42
CAL Revocation

New for WS08!
Per-Device CALs only
Restricted to 20 of CALs
Performed in TS Licensing Manager or WMI

43
Backing up License Servers

Cannot move a license server
Backup the following
License Server root (C\Windows\System32\Lserver)
System State
Repair directory
Perform and ASR backup

TSLic.edb
44
License Server Recovery

Reinstall Windows Server
Reinstall License Service
Restore the backup
Or perform ASR

45
License Server Recovery

Challenges
Must be identical hardware
Lengthy process
May involve extended downtime

46
A Better Way

Consider image-based backup
Acronis, Symantec, Ghost
Virtual Machine
Portable files for restoration
Easy disaster recovery integration

47
High Availability

License Service is NOT cluster-aware
Two or more license servers

Split CALs between them

48
High Availability
49
HA Considerations

Only concerned with per-device situations
Remember the terminal server checks CALs
No CAL issued temp
Temp CAL connect until expired
Full CAL connect until expired
Expired CAL denied connection

50
License Issuance Matrix
51
Are we at least here?
52
Troubleshooting

Common Issues
No license server installed
Terminal server cannot discover license server
Out of per-device CALs
Wrong licensing mode on license servers

53
Troubleshooting

Check the basics
Event Viewer
Event ID 1004 - The terminal server cannot issue
a client license
Event ID 1010 - The terminal services could not
locate a license server
Event ID 1009 - The terminal server licensing
grace period is about to expire on ltdategt and the
service has not registered with a license server
with installed licenses
Verify the license service is installed
Verify the service is started
Check name resolution/PING

54
MSLicensing Registry Key

Contains the HardwareID of the client
HKLM\Software\Microsoft\MSLicensing\Store\
Common issues
Event ID 1003 invalid license
Out of licenses
Delete MSLicensing key entirely
Client regenerates new random HardwareID key

55
Why Discovery Fails

Network Issues
Failed to install a license server
Wrong scope configuration

The key is discoverability!
56
Checking Discovery

New for WS08!
Terminal Services Configuration MMC
Licensing Diagnosis
Previously LSVIEW from WS03 Reskit

57
License Server Config Review

New for WS08!
Integrated into TS License Manager tool
Change scope

58
CAL Reporting

Previously leveraged LSReport from the WS03
ResKit
Unsupported in WS08, but still works
WS08 includes WMI providers for reporting

59
WMI Providers

http//msdn.microsoft.com/en-us/library/aa383481.a
spx

60
Per-User CAL Usage Reporting

New for WS08!
License server registers CAL in AD user account
terminalServer attribute
Queries AD, not LS database
Relies on membership in Terminal Server License
Servers group

61
Per-User CAL Usage Reporting

Performed through TS License Manager tool
WMI Script

This information is pulled from AD, not the
license database
TS CAL Usage Report TS License Server,"W2K8-1" TS
CAL Type,"Per User" Report Date,"5/15/2008
41953 AM" Report Scope,"Domain" Installed TS
CALs,"0" TS CALs in Use,"1" TS CAL
Availability,"None" Issued to User,TS CAL
Version,Expires On Domain\Administrator,Windows
Server 2008,Thursday August 14 2008 021415
62
Howre we doing?
63
Rule 1