One of the headaches of managing terminal servers is managing license allocation. Even after you resolve the legal aspects of license management, you must still make sure you give Windows Server 2003 and Windows 2000 Server Terminal Services Client Access Licenses (TSCALs) only to clients that really need them.
Certain changes to Terminal Services licensing in Windows 2003 make TSCAL allocation especially relevant. Per-user licensing is now an option, so you can associate TSCALs with individual users and solve the problem of misallocated licenses. However, the unlimited license pool available in earlier versions of Terminal Services is now gone, making the consequences of unauthorized computers connecting to terminal servers more serious.
Windows Server OSs currently have no way to manually return TSCALs to the licensing pool for allocation to another computer. At best, unused licenses revert to the licensing pool automatically—but slowly, taking up to 3 months to return to the database. At worst, they don't return to the license pool at all. Understanding how Terminal Services licensing works and knowing how to prevent unnecessary allocation of TSCALs can help you better control TSCALs and manage them more effectively.
How TSCALs Work
To control how Terminal Services issues TSCALs, you need a basic grasp of Terminal Services licensing. Licensing has three components: the terminal servers, their license servers, and the Microsoft Clearinghouse—the licensing database that activates all license servers and supplies additional TSCALs to license servers that request them. You need a separate TSCAL for each computer that connects to a server that's running in application server mode, although you don't need TSCALs to use one of the two permitted remote connections to a server that's running in remote administration mode.
When a user initiates a connection to the terminal server, the server checks whether the connecting computer has a license associated with it. If the connecting computer has a license, the terminal server lets the connection continue if the user has domain logon privileges and permission to connect to the terminal server. If the computer has no license, the terminal server discovers the license server—either by broadcasting in workgroups and SAM domains or by polling the domain controllers (DCs) in Active Directory (AD) domains—and requests a license. When the license server has a license to issue, it sends the license to the terminal server, which issues it to the client. The client then presents its license to the terminal server and makes the connection. If the terminal server can't connect to the license server, the terminal server can accept a temporary license from the client. If the client doesn't have a valid temporary or permanent license, the terminal server rejects the connection.
When a client disconnects from the terminal server, the client retains its license—the license doesn't return to a pool. Therefore, if you log on to the terminal server once from your office computer and again from your home computer, you use two separate licenses. You can't manually return these licenses to the license server because they're marked in the license server's database as given to a particular machine, which is identified by a globally unique identifier (GUID).
Win2K Server Terminal Services allocates TSCALs to computers, not to users or connections. Citrix MetaFrame XP, add-on software that enhances terminal server management and some client capabilities, is licensed per connection. (Yes, you do need both TSCALs and ICA per-connection licenses to access a terminal server that's running MetaFrame.) Allocating TSCALs to computers has its good and bad points. The benefit is that many people can use the same computer to access a terminal server and legally use the same TSCAL to do it. The drawback is that each computer that connects to a terminal server needs a TSCAL, whether it obtains that TSCAL from an unlimited license pool or from the license server. No client OS has a built-in TSCAL. Remember: After a TSCAL is assigned to a computer, you can't manually return that license to the license pool. This limitation has become both less and more of a problem with Windows 2003, which supports per-user TSCALs but no longer has an unlimited TSCAL license pool for Windows XP clients. (For more information about how licensing works and some specific licensing scenarios, see http://www.termservhub.com/other_resources/definitive_qa.php.)
Envisioning the loss of TSCALs to machines that have no use for them, you might decide to edit user accounts to restrict their access to the terminal server by unchecking the Allow Logon to Terminal Server box. This setting (found in the account properties on the Terminal Services Profile tab) sets you on the right track but doesn't necessarily stop the loss of TSCALs because the permission works on a per-user basis but the licensing works on a per-machine basis. Win2K Server Terminal Services and the default licensing for Windows 2003 Terminal Services issue TSCALs to computers, not users. If an authorized user logs on to a terminal server from a computer that has no TSCAL, the connecting computer uses up a TSCAL in the process.
Strategies for Taking Control
You can control access to terminal servers from both ends: from the server and from clients. Your objective is to prevent unauthorized machines from obtaining licenses and prevent terminal servers from handing out licenses they shouldn't. Use the following strategies to take control of TSCALs:
- Allocate licenses only to computers whose users might access the terminal server.
- Restrict which terminal servers can obtain licenses from available license servers.
- Prevent users from installing Remote Desktop Connection (pre-XP).
- Prevent users from running Remote Desktop Connection (XP).
- Reclaim licenses by installing the Win2K Server post-Service Pack 2 (SP2) hotfix. (For information about this strategy, see the sidebar "Reclaim Unused TSCALs," page 52.)
These strategies require some work but can save you money and hassles with licensing.