Licenses to Kill?

Over the past few weeks, I've been examining how Windows 2000 Terminal Server Client Access Licenses (TSCALs) work, and I've found several problems serious enough to cause you headaches if you don't address them. (To read about how TSCALs work, see my article "Windows 2000 vs. NT Terminal Server Licensing," http://www.win2000mag.com/Articles/Content/7875_01.html.) In short, the licensing certificate system doesn't work properly if you reinstall the client OS, replace a machine, or use Windows-based terminals (WBTs) built on the current Microsoft specification. You also can't back up the license store in a way that lets you restore the whole thing.

As I mentioned in the April 26 newsletter, if you perform a clean reinstall of a client OS, you lose the certificate that resided on that machine. The next time the computer tries to connect to the terminal server, the server insists that the client machine get a license. So even if the computer had a license before you reinstalled the OS, it will need another one.

On a similar note, a PC can't release its license and return it to the licensing server. If you lease PCs, you lose the licenses assigned to those machines when you return the equipment. And if a consultant comes to your office for one day, uses his or her laptop to log on to the terminal server, and leaves, the consultant's laptop takes one of those licenses away with it if the laptop is running an OS other than Win2K Pro. You can delete a license on a client computer if you want to, but doing so doesn't return it to the license pool.

If your client machines fall within the 30 percent of terminal server clients that are WBTs, be wary of how you use Win2K TSCALs. According to Allen Nieman, technical product manager for licensing technologies at Microsoft, "the spec for WBTs clearly states that the license certificate issued to the WBT by the Terminal Services license server be stored in a secure, non-volatile area of the WBT's flash ROM. While many WBT OEMs have built their devices to this spec, there are some versions of some OEMs' firmware that do not persistently store the license certificate." In other words, some WBTs have no storage area to retain the license certificate that terminal servers typically assign to PC terminal clients. Each time those WBTs power up, they must query the license server for a new license certificate. Check the license server's database, and you might see entries associated with the terminals' IP addresses or universally unique identifiers (UUIDs).Microsoft Support Online article Q253292 identifies this as a problem for older WBTs, but according to an unofficial source at Microsoft, you're likely to see this problem with virtually all currently deployed WBTs because they can't "remember" the license without the firmware that Microsoft only recently released to manufacturers. Test your WBTs carefully and check with their manufacturers to determine what firmware updates are available.

Finally, if you try to restore a lost terminal services licensing server from a backup onto a new server, the only data you'll restore is a record of what licenses you have issued. You won't have the entire pool with which you started, although you will have a record in the NT Event Viewer's system log that lists the number and type of licenses not issued in the restored database. This feature is by design, so that people can't duplicate the license servers and thus pirate licenses. But Microsoft has yet to tell me just how we're supposed to recreate licensing servers if we can't back them up.

These problems don't render Win2K Terminal Services useless. Most Terminal Services users use PC clients, so the WBT problem won't affect them (certificate issuance problems don't apply to Win2K Professional clients, which have built-in license certificates). You can reclaim lost licenses with the procedure that Microsoft Support Online article Q248430 presents. If you don't reinstall the OS and have only let computers you're planning to keep access the terminal server, you might not have noticed any licensing problems. And Microsoft has promised a fix that should make it simpler to reclaim lost licenses. According to Nieman, "We are planning to include functionality in Whistler to make the transfer of TSCALs significantly easier for the system administrator and thereby resolving the 'license release/re-issue' problem. For Win2K, we are planning to make a QFE (Quick Fix Engineering—it's a hotfix) available to customers with similar functionality as well as rolling that QFE into Service Pack 2 (SP2)."

Nevertheless, the licensing issues are disturbing. We have to use a licensing server with Terminal Services, but it's buggy in a way that might require a lot of maintenance for some customers. The fixes are either "coming soon" or not at all.