Now that we've reviewed the details of how licensing works, let's look at some of the issues affect the design of your TS licensing servers.
- Selecting which Terminal Servers can access which license servers.
- Licensing Terminal Servers in mixed Windows 2000 and Windows 2003 environments.
Enforcing which Terminal Servers are Authorized to Receive Licenses
A new feature of Windows 2003 allows you to specify security permissions for your license servers. That is, you can specify which Terminal Servers are authorized to pass out licenses from a specific license server.
This feature is useful to organizations that manage licensing by business unit or specific users groups, since it can prevent one department from "stealing" another department's licenses.
You must first enable this security feature via a policy applied to the license server (Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Licensing). Once this functionality is enabled, a local group called "Terminal Services Computers" is created on the license server. The License Server will only respond to license requests from servers (or global groups containing servers) whose computer accounts are a member of this group.
When this policy is enabled on a license server that's also a domain controller, the group that's created is a domain local group (since domain controllers don't have local groups). Therefore, if you really plan on managing your licenses by department, it's probably not the best idea to install the licensing service on a domain controller.
If you want to manage licenses by business unit, it's usually easiest to install the license server in "domain or workgroup mode" onto a server that's "owned" by that business unit. Then, activate the License Server Security via Group Policy. Once this policy is applied, add the Business Unit's Terminal Servers into the local License Server Security Group, ensuring that only authorized Terminal Servers can receive Terminal Service CALs. This is also a good way to prevent other departments or even rogue Terminal Servers from accessing your license service and using up CALs.
Licensing in Mixed Windows 2000 / 2003 Environments
If you're migrating from Windows 2000 or if you're running a 2000/2003 mixed environment, there are a few licensing issues to consider when planning your design.
Preventing TS CAL License Upgrades
Since it's possible for a single Windows 2003-based license server to distribute both Windows 2000 and Windows 2003 TS CALs, you need to give some special thought to environments where both are used.
Your Windows 2000 Terminal Servers communicates with your Windows 2003 license server and request licenses from it, and your Windows 2003 license server mimics a Windows 2000 license server.
Because Microsoft licenses are backwards-compatible, the Windows 2003 license server can technically issue either a Windows 2000 or 2003 TS CAL for clients wanting to connect to a Windows 2000 Terminal Server.
The license server will always try to provide the exact match for the version of the license. But what happens when a client device requires a TS CAL to connect to a Windows 2000 Terminal Server and the license server only had 2003 TS CALs available? Should the license server "waste" a 2003 CAL on the Windows 2000 server, or should it provide a 90-day temporary 2003 license? If the client already had a temporary CAL, should the server "upgrade" it to a 2003 permanent TS CAL, or should it deny the user's connection?
The desired outcome of this situation depends upon your business environment. You can specify which behavior you want your licensing server to follow. This functionality is controlled via the "Prevent License Upgrade" policy (Group Policy | Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Licensing).
As the name implies, enabling this policy prohibits a licensing server from ever using a Windows 2003 TS CAL for a Windows 2000 environment. Chapter 6 explains how policies are used and implemented in Terminal Server environments.
Upgrading a Windows 2000 Licensing Server
If you have an existing Windows 2000 license server, it's possible to upgrade it to Windows 2003 while preserving the existing license database. During the upgrade from 2000 to 2003, the license service that was installed will be upgraded and the database content will be migrated into the new license database. After the upgrade to Windows 2003, you'll need to reactivate your license server, just as if you had installed a new license server. This can be accomplished by using the "Reactivate Server" option from the action menu in the Terminal Services Licensing Manager.