Microsoft has made a couple of important improvements to the way Windows Terminal Services handles licensing in Windows 2000 Server. Both improvements have been available as hot fixes for some time, and they’re now included in Windows 2000 SP3. I’m going to recap how Terminal Services Licensing works and outline some of its potential problems so that you can understand how the SP3 licensing enhancements can help.

Terminal Services Licensing: How does it work?
When you run Windows 2000 Terminal Services in Application Mode (the thin client environment), you must also run the Windows 2000 Terminal Services Licensing service. This is true even if you plan to use it only with Windows 2000 or Windows XP clients, which have a built-in Windows 2000 Terminal Services client license, or you plan to use Citrix clients connecting to a Citrix MetaFrame server running on top of Terminal Services.

Once the service is installed, the server hosting it must be activated within 90 days. To do this, you send Microsoft your server’s Product ID. You’ll then receive a license server ID that you type in to complete the activation. You can contact Microsoft in a number of ways, including telephone and fax, but it’s certainly easier if you directly request your license server ID via e-mail or by using a browser.

To activate a Terminal Services Licensing server, open the Terminal Services Licensing console, right-click on your server, and select Activate. Follow the prompts in the Licensing Wizard. If your connecting clients are not Windows 2000 or Windows XP, you need to request and install client-license packs after you’ve activated a license server. You can do this immediately after activation or at a later date.

Fortunately, Windows 2000 and XP clients have a built-in Terminal Services Client Access License (TS CAL), so you don’t need to do anything more with these systems. However, all other clients do require a TS CAL, even if they will be used only to connect to Citrix servers. You’ll need to buy the necessary licenses through your normal Microsoft licensing sources and then install them onto the server running Terminal Services Licensing using the Licensing console. If you are testing with an MSDN version, you can obtain client-license packs only via the telephone.

You can run a Terminal Services Licensing server unactivated for 90 days before Terminal Services clients will be refused a connection for not having a valid license. Use this period to your advantage if you’re evaluating the service to see whether it’s appropriate for your environment and with your applications.

You also have a 90-day grace period for TS CALs. Non-Windows 2000 and XP clients are granted a temporary TS CAL if no client-access license packs have been installed onto the licensing server(s). You’ll see these in the Terminal Services Licensing MMC as “Temporary Licenses for Windows 2000 Terminal Services Client Access License,” with their expiration dates set 90 days from issue, based on the server’s date and time. When client licenses become available, a temporary TS CAL is upgraded to a full TS CAL when the client connects.

Note that TS CALs are per-seat and first-come, first-served. You cannot reserve licenses for certain computers.

Potential problems
Even if you’ve deployed and activated sufficient license servers with sufficient TS CALs, you may still encounter some problems. Running a Terminal Services license service was new for Microsoft, so it’s hardly surprising that there have been a few hiccups in its execution. In a number of instances, more client licenses have been issued by licensing servers than should have been, for various reasons. Redressing the problem puts a burden on both the administrator and Microsoft, because you can’t manually reclaim any incorrectly issued licenses yourself (for example, by deleting them). Instead, you must telephone—rather than e-mail or connect with a browser—Microsoft Clearing House to resolve the problem.

One problem has been with Windows-based terminals (WBTs) that haven’t correctly stored the license. Licenses are issued from the licensing server but not successfully issued to the client, so it requests another license the next time that client connects. Unlike standard computers, which display licenses by name, WBTs display licenses by their IP address or universally unique identifier (UUID) in the Terminal Services Licensing MMC. So, you should look out for repeated instances of the same value for multiple licenses. An upgrade to the firmware on these terminals may resolve the problem.

If you see the same computer name displayed multiple times, a number of explanations are possible. One is cloning. If a new machine name hasn’t been correctly assigned, it will appear on multiple computers. In this case, the number of licenses allocated is correct but they have the same name, so despite appearances, the license count is in order.

Another reason for the same computer name appearing against multiple licenses could be that the computer has been rebuilt or replaced (with the same name) rather than restored after a failure. A software rebuild will wipe the certificate, so an additional license might have been incorrectly allocated.

The problem could also be that connecting users don’t have access to the part of the registry on their computers where the license is stored. Make sure that your users have permissions set to Full Control for the following registry key and subkeys:

A failure to write to this key will be the equivalent of the WBTs that can’t store their licenses.

It’s up to you to keep a careful eye on your license database to ensure that it’s issuing TS CALs only where it should and to buy and install additional licenses as required so that any temporary licenses can be upgraded to full licenses before they expire. Although you can use just the Terminal Services Licensing MMC and check the Event log on the server(s) running Terminal Services Licensing, this maintenance task may be easier if you use the License Reporting Tool from the Windows 2000 Resource Kit so you can automate usage tracking with Excel or a similar program. The article “Check out these hidden extras for Win2K Terminal Services” offers a look at the tool.

Terminal Services Licensing enhancements
Now that we’ve seen how Terminal Services Licensing works and looked at a few potential pitfalls, it’s time to consider the two enhancements that help address some of the problems. The enhancements are called Post Logon License Token Issuance and Automatic License Token Re-issuance. Both offer some help in ensuring that only genuine TS CALs are claimed from your pool of licenses.

As I mentioned earlier, the enhancements have been available for some time as hot fixes. Details appear in Microsoft Knowledge Base article Q287687. But now the enhancements are also bundled into Windows 2000 SP3, which is Microsoft’s preferred method for applying these fixes. If you go the hot fix route, the upgraded files should be installed on both the terminal server(s) and the server(s) running Terminal Services Licensing. The fixes are not required on the Terminal Services clients.

The Post Logon License Token Issuance covers incidences where unauthorized clients try to connect to the terminal server. Out of the box, Windows 2000 Terminal Services, together with Terminal Services Licensing, issues an available TS CAL to a client when it connects to the terminal server, even before it successfully logs on. With this enhancement, a temporary TS CAL is first granted to the user, and only on the second connection and successful logon is that temporary TS CAL upgraded to a full TS CAL.

Although this enhancement doesn’t mitigate the “first come, first served” basis, it does ensure that only clients that can successfully log on to a terminal server (allowed access by administrators) will be allocated licenses. This is particularly relevant if you’ve deployed the browser version of the terminal services client (TSAC). Users who know the names or addresses of your Web server’s virtual site can potentially install the TSAC ad hoc, and those users can then try to connect to terminal servers.

Automatic License Token Re-issuance covers instances in which a computer has been rebuilt or replaced, or the WTBs or restricted registry computers have failed to store the license. Instead of having indefinite licenses, now all TS CALs issued have renewal periods where the license must be renewed with a license server after 52 to 89 days (a random number is chosen when the license is issued). When a license isn’t renewed after the renewal period, this license is returned to the license server as “unallocated” so that it can be reused for other connecting clients.

The change in how TS CALs are issued with these enhancements will take affect only on newly issued licenses, so any licenses issued prior to installation will continue to work as before. Thus, you must still keep a careful eye on these and call Microsoft to reclaim licenses if necessary. However, for new licenses, these automatic self-maintenance techniques should help reduce the administrative overhead of accounting for each license, especially in larger deployments.

Of course, neither of these enhancements will help you if your license server dies or your database gets corrupted, in which case you must restore from backup and call the Microsoft Clearing House if you need to reclaim TS CALs. Before you do this, retrieve your product ID and license server activation code. The output from the last time you ran the License Reporting Tool will also help tremendously. You can find the right telephone number by setting the Connection method to Telephone (either in the Licensing Wizard on a new server or in the server’s Properties if already activated by another method) and selecting your country and region.

The strategy of reclaiming unused licenses works best if you have a large number of licenses available and can afford to incorrectly issue some for a short period of time. In the long term, license count should balance out correctly. But if you have a small number of licenses, which are designed for a set number of clients to use immediately, these enhancements may be less helpful. You may still need to actively reclaim licenses with Microsoft to ensure that your older Terminal Services clients can successfully connect after their 90-day grace period.

Although these enhancements should make it easier to administer this service, they are not an excuse to ignore it. You should still actively monitor and manage your Terminal Services Licensing to make sure it’s working efficiently and effectively on your network.