SolutionBase: Manage Windows Server 2003 licensing

Windows Server 2003 has so many different license types, you can easily become confused. Here's what you need to know about each type.

Per-User licensing shifts the focus to the client, allowing any number of clients to connect to any server running the target application. A user CAL grants the right for a user to connect to the specified resource from any number of devices. For example, a single user CAL for Exchange Server allows a user to connect from his desktop, notebook, or home computer using Outlook; from a public kiosk using OWA; from a PDA; or from a smart phone. Per-User licensing makes the most sense for companies that have more devices than users.

Per-Device licensing is also available. A device CAL allows a given device to access a particular server application. Device CALs are the same as Per-Seat CALs in Windows 2000 Server and are the logical choice when you have more users than devices. For example, if you have 50 computers on your network but 100 users who share those computers, purchasing device CALs would cost half as much as purchasing user CALs.

How Windows Server tracks licenses
Let's take a look at how Windows Server tracks license usage to help you better understand the differences and similarities between CAL types and licensing modes. For the first example, assume you have 100 users, each of whom has a single desktop computer. You install your server in Per-Server licensing mode. You purchase 100 user CALs and record those in the Licensing console (more on that a bit later). As connections are made to the target application, the License Logging service keeps track of each connection. When the number of user connections reaches 100, no more connections are accepted. If you suddenly added another 25 users, you would have to either purchase and register an additional 25 user CALs in the Licensing console or revoke CALs from 25 existing users. The latter option makes sense only if those 25 users will no longer be accessing the target server application. The more likely situation is that you will need to add CALs for the additional users.

Now, let's consider another example with a manufacturing company that runs three shifts. Each shift has about 50 users who share 10 computers. The actual number of users on a given shift varies as does the number of users from one shift to another. However, there are only 10 devices from which users can connect to the server. This company purchases 10 device CALs. Even though they might have 150 users, they are still legal. Now, let's assume this company, which has previously had its engineering staff at a different site, now adds an engineering department of 25 users. These users have multiple devices, so the company purchases 25 user CALs to go along with the existing 10 device CALs.

Even though you can purchase a mix of device and user CALs, is there a catch to using them? As you'll learn later in this article, when you add a CAL, you can't specify it as either a user CAL or a device CAL—you simply add a CAL. So, how does the Licensing Service keep track of user connections versus device connections? The simple fact is that it doesn't. While it does track CALs purchased and allocated, it doesn't prevent connections when the total number of accesses is reached. In a nutshell, this means that Per-User/Per-Device mode lets you work on the honor system—it's up to you as the server administrator to make sure you have purchased and added the appropriate number of CALs. Your users won't be shut down no matter how many (or how few) CALs you add. User and Device CALs are simply a legal requirement, not a technical one.

No CALs required
There is one situation in which CALs are not required to access the server or a server application: when users make their connections anonymously from the Internet. For example, you don't need CALs to allow customers to anonymously access your Web site. All that is required is a single Windows Server license. If you provide authenticated access to customers or partners, however, you do need to take licensing into account. But, you don't need CALs—you need an External Connector License.

An External Connector License allows an unlimited number of external users to access the server or server application for which the license applies. External Connectors (ECs) do not apply to employees who connect from remote locations—you use CALs for them. Instead, the EC is designed for customers and partners who need to access your server or application. For example, if you provide authenticated access for your customers to obtain inventory or pricing information about your products, you need an EC to legally provide that data.

If you have only a few customers or partners who access your servers, an EC will likely seem fairly expensive. In these situations, you can still purchase and use CALs to allow these users to gain access, rather than purchase the EC. When you are evaluating the necessity for an EC, consider the cost for the appropriate number of CALs against the cost of the EC, then factor in future growth. Keep in mind that the EC allows an unlimited number of connections, so purchasing an EC now might still be more cost effective if the number of users is relatively low now but will grow in the near future.

Managing licenses
Windows Server 2003 provides two tools to help you manage licensing. The first of these is the Licensing applet in the Control Panel, which allows you to manage licenses on the local server. You can use the Licensing applet to add or remove CALs for Windows Server or for specific applications licensed in Per-Server mode. You can also switch the server or applications between Per-Server and Per-User/Per-Device modes.

The Windows Server license allows a onetime, one-way switch from Per-Server to Per-User/Per-Device mode. However, this is a legal limitation, not a technical one. You can use the Licensing applet at any time to switch between modes.

Managing CALs with the Licensing applet is easy. Open the applet and choose the application you want to manage, as shown in Figure A. Choose Windows Server to add Windows CALs. If the target application is not configured for Per-Server mode, the Add Licenses and Remove Licenses buttons are dimmed, and you will have to use the Licensing console, explained next, to manage the CALs. If the application is configured for Per-Server mode, click Add Licenses, enter the number of CALs to add using the Quantity spin control, and click OK.

Figure A
You can manage licenses using the Licensing applet from Control Panel.

You can also remove Per-Server CALs from a server with the Licensing applet. Doing so enables you to legally assign those CALs to another server, giving you the flexibility to move licenses around from server to server as needed. To remove licenses, open the Licensing application, choose the application, and click Remove Licenses. Select the product from the list and use the Number Of Licenses To Remove control to specify the number of licenses you are removing from the server. Then, click OK.

To manage User and Device CALs, use the Licensing console found in the Administrative Tools folder, as shown in Figure B. The Licensing console provides four tabs named Purchase History, Products View, Clients, and Server Browser.

Figure B
You can manage User and Device CALs with the Licensing console.

Use the Purchase History tab to view the CALs that have been added to the target server. This view is read-only and does not give you the capability to manage CALs. The Products View, however, not only organizes assigned CALs by application but also gives the capability to view client accesses for that application, view CAL purchase history for the application, add or remove CALs, and revoke a CAL for a particular user. When you double-click the application, a tabbed dialog box opens that offers three tabs: Clients, Purchase History, and Server Browser.

Use the Clients tab to view the list of users who have accessed the application and the number of accesses. To revoke a license from a user, select the user from the list and click Revoke. The Licensing console prompts you to confirm the revocation.

Use the Purchase History tab to view the CALs that have been installed for the application and to add or delete CALs. The process is similar to the Licensing applet in the Control Panel. Just click New to open the New Client Access License dialog box, enter a quantity in the Quantity control, and click OK.

The Server Browser tab lets you select a server and view products and replication properties for the selected server. Double-clicking a server in the list opens a properties dialog box for the server that provides a Products View tab from which you can view and manage installed CALs and a Replication tab where you configure licensing replication. I'll cover replication a bit later. For now, turn your attention back to the Licensing console.

The Clients tab lists client accesses by product. You can use this view to revoke a license for a specific user. Just double-click the user to open the user's property sheet, and then click Revoke to revoke the license. The Server Browser tab enables you to select a specific server to add or remove Per-Server licenses or change the licensing mode for a selected application on the server. You can also use this tab to explore and manage licensing for products and clients on servers for which you have the necessary administrative authority.

Using license groups
In its default configuration, the License Logging service allocates a license to a user the first time that user accesses the server product. Therefore, the service provides accurate licensing information only if you have one device per user or when you are using Per-User licensing (because you don't need to worry about how many devices each person uses to access the server product). In situations where there are more users than devices and you are using Per-User/Per-Device licensing, you can use license groups to maintain the correct ratio of users-to-devices and maintain accurate license reporting.

Consider our previous example of the manufacturing company with three shifts and 10 computers shared by 150 users. If you did not use a license group, the License Logging service would count each user's access against the total number of CALs and would quickly report that you had exceeded the installed limit of 10 CALs.

A license group pools licenses for devices into a group. In this same example, you would create a single license group, install in it the 10 device CALs, and then add all of the users to the group. As connections are made, the License Logging service determines that a given user is part of the group and counts the access against the group rather than the individual.

To create a group, open the Licensing console from the Administrative Tools folder and choose Options | Advanced | New License Group. In the resulting New License Group dialog box, enter a name and description for the group, specify the number of licenses for the group, and then click Add. In the Add Users dialog box, select a source from which to select users (such as an Active Directory domain), select the users from the list, and click Add. Click OK after you have added all the users to the group, then click OK to close the New License Group dialog box.

To manage existing license groups, choose Options | Advanced | Edit License Groups. From the resulting License Groups dialog box, you can add and remove license groups as well as edit existing ones.

Managing license servers and replication
Within an Active Directory site, each Windows server on which the License Logging service is running tracks licensing usage and replicates that information to a site license server. By default, the site license server for a site is the first domain controller installed in the site. Depending on your network structure, the number of servers and sites in your organization, and how you prefer to control bandwidth usage, it's possible that at some point you will need to specify a different site license server or reconfigure replication.

To identify or change the site license server, open the Active Directory Sites And Services console from the Administrative Tools folder. Expand the Sites container and click the target site. In the right pane, double-click the Licensing Site Settings object to open the Licensing Site Settings Properties dialog box. The Licensing Settings tab displays the current site license server and domain, as shown in Figure C.

Figure C
You can find the current site license server in Active Directory Sites And Services.

Click Change to open the Select Computer dialog box and choose a different server to act as the site license server. Then, click OK.

To configure replication, open the Licensing console from the Administrative Tools folder and click the Server Browser tab. Expand the tree to locate the server you want to manage, select and then right-click the server, and choose Properties. Click the Replication tab on the resulting dialog box. On the Replication tab, you can choose a specific time at which to start replication or specify periodic replication every nhours. Click OK when you're satisfied with the setting. Then, repeat the process for other servers in the site and vary the time on each server to balance the load on the site license server.

It's not as bad as it seems
Although licensing seems incredibly complex, it really isn't that complex once you understand the basics. I've tried to explain those basics here to help you get a handle on licensing in general. Your next step is to understand the licensing requirements for specific products. A good place to start is the Microsoft Software Asset Management Web site. To learn about licensing for specific products, take a look at Microsoft's CAL Guide. You'll also find product-specific licensing at each product site.