A Windows administrator whose network includes Terminal Services needs to be aware of Microsoft’s recent improvements to how Windows 2000 Terminal Services allocates Terminal Services Client Access Licenses (TS CALs), as well as how to monitor both the license servers and allocated licenses. We’re going to take a step back to look at the bigger picture of how a Windows 2000 terminal server in application mode attempts to find a license server. Having a detailed knowledge of how this license server discovery works means you can plan a more reliable service and efficiently troubleshoot any problems you encounter.

Finding license servers
First of all, it’s important to appreciate that a Terminal Services client does not itself find a license server. Rather, this licensing conversation is always between the terminal server and the license server. When the client connects to a Windows 2000 terminal server in application mode, it is asked for its license and can proceed if a valid license is stored in the registry. If a temporary license, or no license, is presented, the terminal server attempts to find a license server so it can issue either a full license, if one is available, or a temporary license if the client previously had none.

But the terminal server doesn’t wait until clients connect to find a license server. When loading, it attempts to find all the available license servers and keeps a record of them but chooses one to be its current license server. If none is found on loading, it keeps checking in the background. Periodically, it will verify that its chosen license server is still available by using a standard TCP/IP ping. If its chosen license server doesn’t respond, it will select another from the list. If none of the previously catalogued servers responds, it will repeat the discovery process and keep trying if necessary.

Windows 2000 terminal server uses four ways to find a license server:

  • Domain mode—Querying Windows 2000 domain controllers
  • Enterprise mode—Querying Active Directory
  • Workgroup mode—Broadcast
  • Direct mode—Using the DefaultLicenseServer registry option

Domain mode
Domain mode is probably the most common setting and is suitable for most networks. However, it will work only if your Windows 2000 terminal server and license server are in the same Windows 2000 Active Directory domain. (They can be in different subnets and in different Active Directory sites.) Furthermore, your license server must be installed on a domain controller.

When looking for a license server, the terminal server will use its DNS server to find the domain controllers in the domain (using SRV records) and then query them to see whether they respond to a named pipe request called TermServLicensing.

If no license servers are found, the terminal server will keep trying every 15 minutes. Once a license server is selected, it will verify its availability once every two hours.

Enterprise mode
Enterprise mode also works only in a Windows 2000 Active Directory environment and on a domain controller, but the license server can be in a different domain if—and this is a big if—they are in the same Active Directory site. Remember that a site is defined as one or more well-connected networks.

When looking for a license server, the terminal server contacts its trusted domain controller to query Active Directory for its site configuration container (looking for the TS-Enterprise-License-Server object). This value contains the FQDN of the license server and is returned to the terminal server so that a server can be selected to be its current license server. The terminal server can then use the FQDN to contact its selected license server.

If the enterprise license servers are not found, the terminal server will keep trying them every hour. The terminal server will verify it every hour once it’s found.

You can combine both domain mode license servers and enterprise mode license servers on the same network, with domain mode license servers being selected first. Their boundaries of demarcation are the domain and site, respectively.

So if you have a single domain, single site, which mode should you choose? The purist in me prefers the enterprise mode because it makes sense to reference Active Directory for the installed license servers and it results in less traffic. However, my experience with using the different modes (with Win2K SP3) suggested that domain mode was the most resilient when it came to coping with unavailable license servers. On the other hand, if one of the enterprise servers became unavailable, things became very unreliable. Thus, I would have to have a good reason to implement Terminal Services Licensing in enterprise mode in its current state.

Workgroup mode
Workgroup mode is suitable for workgroups (no domain controllers), an NT4 domain, or in cases where a domain mode or enterprise mode license server is not used in a Windows 2000 Active Directory domain. One of the benefits is that the license server does not have to be on a domain controller, but discovery is limited to the local workgroup or domain.

When looking for a license server, the terminal server broadcasts for a named pipe called TermServLicensing. All license servers will respond, and the terminal server will select one of these as its license server.

Like the domain mode, if no license servers are found, the terminal server will keep broadcasting every 15 minutes. Once a license server is selected, it will verify its availability every two hours.

Direct mode
With all the previous options, you can’t influence which license server will be selected when more than one are available at the same time—and Microsoft advises you to have at least two available for redundancy. But you might prefer to select the license server for a number of reasons—for example, asymmetric hardware, easier maintenance, or network topology. Using the standard license server discovery, your best bet is to temporarily stop the Terminal Services Licenses service on all but your preferred server while the terminal server loads, but this may not be practical.

However, by editing the terminal server’s registry, you can bypass the license server discovery process and direct the license requests to a specific server. You need to add the value (type REG_SZ) DefaultLicenseServer to the following key:
HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters

For the value, specify the name (must be resolvable by DNS or WINS) of your selected license server. As with the enterprise mode model, this setting is suitable for multiple domains, and outside Active Directory, it allows a terminal server to contact a license server on the other side of a router.

A disadvantage of this method is that it will result in Event ID 1010 (TermService) being logged to the terminal server’s event log every six hours. You can ignore this; it simply informs you that normal licensing server discovery is not succeeding. More critical, however, is the fact that this method has no failover if it cannot locate the specified server. In that case, client connections will simply be refused. Unfortunately, you can’t list a number of servers to try in sequence, and if the specified server can’t be contacted, the terminal server doesn’t revert to standard license server discovery. I’m told this will be implemented in Windows .NET Server 2003.

Summary
We’ve covered the four ways a Windows 2000 terminal server will attempt to find a license server, and we’ve seen how your choices are often restricted by your existing infrastructure. In my next article, we’ll look at the mechanics of making your configuration choices and see how to monitor and troubleshoot them.