|Licensing Windows Server|
|Sep. 15, 2008|
Microsoft's only server OS, Windows Server, contains myriad capabilities necessary for building and maintaining a network infrastructure, such as directory services and administration tools. It is also the OS platform on which all Microsoft server-based applications are built.
Windows Server generally requires a license for the server and Client Access Licenses (CALs) for each client user or device that accesses the server. External Connectors are available for users outside the organization licensing the server, such as customers. However, OS server licenses come in several editions, and the precise licensing model and rights granted vary by edition—especially related to hardware virtualization. (Hardware virtualization makes it possible for multiple, different OSs to run simultaneously on a computer, each in its own virtual machine that emulates a complete computer in software.) Two server features, Terminal Services and Rights Management Services, also require their own CALs.
Licensing Windows Server for use within an organization is generally straightforward if hardware virtualization is used sparingly—a Standard or Enterprise Edition server license is acquired for each physical server machine and one Windows Server CAL is purchased for each user or device within the organization. However, accommodating scenarios involving nonemployees or making heavy use of virtualization complicates Windows Server licensing considerably.
Windows Server 2008 is available in five different editions. (See the chart "Windows Server 2008 Edition Comparison".)
Standard, Enterprise, and Datacenter editions are differentiated by scalability and availability features as well as by licensing terms governing the maximum number of Windows Server virtual machines (VMs) that can be run simultaneously on the licensed server. All three of these editions come with Hyper-V, Microsoft's new virtualization hypervisor, comparable to offerings from VMware and Citrix / XenSource, which runs directly on the hardware and is responsible for creating, removing, and managing VMs.
The two remaining Windows Server 2008 editions are niche products: one exclusively for servers built with Intel's Itanium processor, the other targeted specifically for Web servers. Neither includes Hyper-V. (Microsoft also offers Hyper-V as a stand-alone product that installs directly on "bare metal"; see the sidebar "Hyper-V Server".)
All server editions except the Itanium Edition support both 32-bit and 64-bit (x64) processors and the installation media include software for both processor architectures. All editions of Windows Server 2008 include rights to downgrade to lesser editions of Windows Server 2008 as well as equivalent or lesser editions of Windows Server 2003 R2, Windows Server 2003, and Windows Server 2000.
The five editions of Windows Server 2008 are as follows:
Standard can play most Windows Server roles, including file server and domain controller, and is limited to four processors and 32GB RAM (4GB on 32-bit processors). It is typically sufficient for any server in a branch office or midsize organization and provides the technical feature set required for many (but not all) servers running in a larger organization.
Certain connection limits in Standard make it unsuitable for a few network infrastructure workloads present in some larger organizations. For example, a Standard server can accept no more than 250 concurrent connections for its Routing and Remote Access Service, which handles virtual private network connections. The same limit applies to its new Terminal Services Gateway feature (explained below). Furthermore, Standard lacks a few capabilities present in higher-end editions, such as Windows failover clustering or partner authentication using Active Directory Federation Services.
Customers can use a machine licensed with Standard to run Windows Server VMs. Each Standard license entitles customers to run one instance of Windows Server in a VM (called a virtual instance) and one instance on the physical server (physical instance). However, if a VM is run, then the OS on the physical server may be used only to manage and service running VMs (running tools such as System Center Virtual Machine Manager—Microsoft's tool for provisioning, managing, and storing VMs—in the physical OS instance would qualify). For example, hosting two Windows Server VMs on a server would require two Windows Server 2008 Standard licenses to be assigned to the server: one to cover both the physical instance as well as the virtual instance in the first VM, and one license for the virtual instance in the second VM. If more than three VMs are to be hosted on a server, Enterprise and Datacenter editions are more cost-effective licensing options.
Enterprise has no connection limits and can play any Windows Server OS role. It supports up to eight processors and 2TB RAM (64GB on 32-bit processors) and has high-availability features such as 16-node failover clustering (which enables one server to quickly take over the applications and services running on another) and addition of memory to computers while they are running ("hot add").
A single Windows Server 2008 Enterprise license permits customers to run one physical instance of Windows Server 2008 Enterprise and up to four virtual instances (of Windows Server 2008 Standard or Enterprise, or a predecessor version) simultaneously. Though not enforced through any technical means, running a fifth Windows Server VM would be a violation of Enterprise licensing terms. If four VMs are running, the OS on the physical server is not permitted to run any workload beyond managing and servicing the VMs. Note that more than one Enterprise license can be applied to the same physical server. For example, allocating two Enterprise Edition licenses to one server provides the right to run up to eight VMs simultaneously.
Datacenter offers a superset of the Enterprise Edition's capabilities, supporting up to 64 processors and enabling hot replacement of memory and processors, not just hot add of memory as does Enterprise. However, for most customers, Datacenter's greatest appeal is its liberal virtualization licensing rules. A machine licensed for Datacenter can run an unlimited number of virtual instances in VMs (Standard, Enterprise, or Datacenter editions of Windows Server 2008 or its predecessor versions) simultaneously, removing the need to track VM workloads for purposes of Windows Server license compliance and making Datacenter the most flexible and cost-effective OS edition for large-scale consolidation of server workloads.
Unlike Standard and Enterprise, which require one license per physical server (though more licenses can be purchased and assigned to a physical server to increase virtualization rights), Windows Server 2008 Datacenter requires one license per physical processor in the server machine and usage rules dictate the product may not be run on servers with fewer than two processors. Datacenter is the most cost-effective edition when the maximum number of VMs to be run is greater than four times the number of physical processors in the machine. For example, on a two-processor system, Datacenter Edition becomes the most cost-effective option when the peak number of workloads exceeds eight VMs.
Itanium (full name: Windows Server 2008 for Itanium-Based Systems) is licensed per-processor like Datacenter and includes similar high-availability features and hardware limits. As the name implies, the Itanium edition runs only on Intel's Itanium processor family (which implements the IA-64 architecture). The Itanium edition is optimized for large database servers and lacks OS components (such as Print Services) needed for other roles. In fact, SQL Server is the only Microsoft product other than Windows Server to run on Itanium systems. Like Datacenter, the Itanium Edition is licensed to allow unlimited VMs and could be used for server consolidation, but unlike Datacenter, the Itanium Edition does not include and will not work with Microsoft's Hyper-V hypervisor, although other hypervisors could be used.
Windows Web Server (formerly Web Edition) is a low-cost OS edition for public-facing Web sites and Web applications, and for POP3 mail serving. Windows Web Server is licensed per server, but unlike all other editions, it does not require that clients be licensed through CALs or External Connectors, bringing it closer to the cost of so-called LAMP (Linux, Apache, MySQL, and PHP) Web platforms. All content on a server running Windows Web Server must be accessible to users outside the organization that owns the server; licensing rules dictate that the product may not be used to host employee-only material.
A server licensed with Windows Web Server may run some Microsoft Web applications, such as Windows SharePoint Services, but not others, such as Outlook Web Access, a popular Microsoft Web application that makes users' Exchange mailboxes accessible via a browser. Furthermore, Windows Web Server can run database software such as SQL Server or MySQL, but databases running on Windows Web Server may only support dynamic Web content and applications on that computer; the Windows Web Server license prohibits applications on other computers from sharing the database. For example, if multiple servers running Windows Web Server require access to a shared SQL Server database, that database must run on a separate server licensed for Standard, Enterprise, Datacenter, or Itanium Edition.
Windows Web Server can be a member of an Active Directory domain but can't serve as a domain controller, so use of management tools such as Group Policy requires the presence of other editions of Windows Server running on the network. Also, Windows Web Server does not support Hyper-V, making it unsuitable as a virtualization host, and each license entitles the customer to run only a single instance of Windows Web Server on one physical server (although that one instance can run either in a VM or directly on the physical server). Windows Web Server is restricted to four processors and up to 32GB RAM (4GB on 32-bit processors).
The use of hardware virtualization on servers addresses numerous challenges, including maximizing hardware utilization, lowering power consumption, accommodating temporary or intermittent workloads and peaks in demand, simplifying scheduled hardware maintenance, and assuring high availability through automated failover. Besides the virtualization limits associated with most Windows Server edition licenses, there are four other major points customers must understand when making Windows Server licensing decisions in environments where virtualization is or will be heavily exploited.
Only physical servers can be licensed. Server licenses for all editions of Windows Server are assigned to physical servers, not to VMs. Whether or not a customer has the right to run a Windows Server VM on a particular server is determined by what Windows Server license (or licenses) have been purchased and assigned to the physical server and the number of other Windows Server VMs already running at that moment. For example, a physical server with one Windows Server Enterprise Edition license assigned to it, and already running two Windows Server VMs, can run up to two more VMs without requiring additional server OS licenses.
Any server running Windows Server in a VM must be licensed. Customers opting to host Windows Server VMs using a third-party virtualization technology still need to buy Windows Server licenses for the server. For example, a two-processor server using VMware ESX to host an indeterminate number of Windows Server VMs would need to have two Windows Server Datacenter per-processor licenses assigned to it, even though no Windows Server OS is installed on the physical server.
Server OS licenses cannot be moved frequently. For the most part, Microsoft's licensing rules preclude casual reassignment of Windows Server licenses (any edition) from one physical server to another in an effort to maintain license compliance as a Windows Server VM is moved around. Windows Server licenses may not be reassigned to different physical servers more frequently than every 90 days (except if a server is being retired due to permanent hardware failure). This makes it impossible for a Windows Server Standard license to be moved in tandem with a VM as the VM is migrated dynamically among servers in a server farm to balance workloads or to meet temporary requirements. Any server to which a Windows Server VM is moved must have a spare Windows Server license that can be applied to the VM, or moves must be no more frequent than every 90 days.
Heavy use of virtualization leads to Datacenter. Microsoft's virtualization rules—especially the 90-day transfer limit—are a clear effort to use virtualization's rising popularity to stimulate "mix shift": purchase of more expensive editions of Windows Server. Datacenter's unlimited VM provision frees customers from having to keep track of the number of simultaneous VMs running on each server, and Datacenter becomes the least expensive licensing option as VMs proliferate. Also, Datacenter removes any concern over which edition of Windows Server is installed and running in any VM—a Datacenter license allows any VM to run Windows Server Standard, Enterprise, or Datacenter.
Microsoft server applications rules are different from Windows Server OS rules. Effective Sept. 2008, licenses for the latest versions of most (but not all) Microsoft server applications—such as Exchange Server 2007 and SharePoint Server 2007—can be moved anywhere within a server farm as often as a customer likes, making it relatively easy to maintain license compliance as a VM running a Microsoft server application is moved around. (The only caveat is Microsoft's definition of a qualifying server farm—see the licensing brief referenced in the "Resources" section.)
In addition to server licenses (or per-processor licenses in the case of Datacenter Edition), all editions of Windows Server except for Web Edition require clients to be licensed with CALs or External Connectors. Two server features, Terminal Services and Rights Management Services, also require their own CALs. (For prices, see the chart "Licensing Clients for Windows Server Access".)
Organizations making even limited use of Windows Server internally are generally obligated to have each internal client licensed with a CAL for the most recent version of Windows Server deployed within their organization. For example, setting up a single Windows Server 2008 machine as a Dynamic Host Configuration Protocol (DHCP) server triggers the requirement that all clients that might possibly access it (even across a global network) be licensed with a Windows Server 2008 CAL, even though DHCP is arguably an ancillary service and is likely to be accessed infrequently. Furthermore, any client accessing a VM hosted on a Windows Server 2008 machine must be licensed with a Windows Server 2008 CAL, even if the OS running in the VM is a Linux OS or an older version of Windows Server.
Similarly, any Standard, Enterprise, Datacenter, or Itanium Edition machine deployed in an extranet capacity (servicing customers and partners, for example) is very likely to require a Windows Server External Connector license. These four editions are needed in situations where Web Edition does not suffice either because of a capacity or licensing restriction, such as Web Edition's prohibition from hosting a database accessed by other machines. So, for example, a Windows Server Standard machine running a SQL Server database accessed by a cluster of Web Edition servers will require a Windows Server External Connector. The only exception to the External Connector requirement—likely to apply infrequently—is if all use is over the Internet and anonymous, meaning users are not authenticated or otherwise individually identified in any way by the server software. So, in the previous example, to qualify for the External Connector exception, the extranet site using the SQL Server database couldn't provide any form of user personalization.
Special Features of Windows Server Client Licensing
Windows Server conforms to most of the general principles for CAL and External Connector requirements. (See the sidebar "CALs and External Connectors".) However, there are some notable exceptions:
Not every new Windows Server version requires new CALs. Typically when customers upgrade a server product, the company requires customers to acquire CALs (or an External Connector) of a corresponding version. While this is true for "major" versions of Windows Server, such as Windows Server 2003 and Windows Server 2008, in the past it has not applied to "minor" versions, such as Windows Server 2003 Release 2 (R2), which continues to use Windows Server 2003 CALs to license client access. The next release of Windows Server, expected in 2010, will carry a R2 designation (Windows Server 2008 R2) and will likely require only Windows Server 2008 CALs.
A concurrent licensing option is offered. As with most other server products, CALs can be assigned per-user or per-device. However, Windows Server offers a third option, called "per-server," which amounts to a form of concurrent use licensing. This option, typically of interest only to smaller organizations deploying a single Windows Server machine, allows a customer to assign CALs to a specific server equal to the maximum number of simultaneous client connections they want that server to support.
Terminal Services Client Licensing
Terminal Services allows users to interact with applications that are executing on a remote Windows Server running the Terminal Server role rather than executing on the user's local computer. Terminal Services uses the Remote Desktop Protocol (RDP) to send the user's input to the remote application and display the application's output on the user's computer.
Terminal Services requires its own client licenses; the Windows Server CAL and External Connector do not grant rights to use Terminal Services. Terminal Services clients can be licensed by Terminal Services CALs (for employees) or Terminal Services External Connectors (for nonemployees). Terminal Services clients require licenses regardless of the type of client access device: PCs running OSs other than Windows, dedicated graphics terminals (such as those from Wyse), and third-party terminal clients (such as those from Citrix) must still be licensed for Terminal Services.
There are two important exceptions. First, up to two administrators at a time may administer a Windows Server computer over RDP. Second, the primary user of a licensed Windows PC does not require a Terminal Services client license to access that PC remotely via RDP. However, many users will access remote PCs inside their organizations using the Windows Server 2008 Terminal Services Gateway feature, which provides an easier-to-configure and more secure way for users to connect to terminal servers and PCs via RDP. If the Terminal Services Gateway feature is used, the user or the user's device needs a Terminal Services client license.
Unlike most Microsoft server products, Terminal Services includes a license manager component that records CALs in electronic form. When CALs are assigned per-device, Terminal Services can enforce compliance by blocking unlicensed client devices. When CALs are assigned per-user, it can assist in compliance by generating a report detailing the number of unique users that have used Terminal Services and comparing it to the number of User CALs installed on the system.
Any Microsoft desktop application running on Terminal Services, such as Office, must be licensed just as it would if it were actually executing on the user's PC.
Active Directory Rights Management Services Client Licensing
Active Directory Rights Management Services (RMS) uses encryption to prevent unauthorized users from opening documents, e-mail, and other protected data and enables applications to selectively enforce restrictions (e.g., "do not print") for particular users. Commonly used to prevent casual or inadvertent disclosure of Office documents and e-mail, RMS protection travels with content and thus can work even if the content is moved to a computer outside an organization's control.
Any user or device that creates or views rights-protected content must be licensed via a Rights Management CAL or External Connector.
Use of RMS requires recent versions of Office as well as SQL Server. Professional Editions of Office 2003 and 2007 applications can be used to create rights-protected content or set rights on existing content. The corresponding Standard Editions can read and edit protected material but cannot create protected content. (The Office bundles offered in volume purchase plans that include Professional Editions of the individual applications are Office 2007 Professional Plus and Office 2007 Enterprise Edition.) RMS also requires SQL Server; while the free SQL Server Express Edition is supported, its limitations cause Microsoft to strongly recommend SQL Server Standard or Enterprise Edition, which must be licensed separately.
Feature-level comparisons of the various Windows Server 2008 editions are available via a link on www.microsoft.com/windowsserver2008/editions/overview.mspx.
Microsoft's Windows Server licensing portal page is www.microsoft.com/windowsserver2008/en/us/licensing-overview.aspx.
A lengthy Windows Server 2008 licensing guide is available at download.microsoft.com/download/E/E/C/EECF5D44-9A88-43D8-AFDB-D2AB82BE035C/Win%20Server%20Lic%20Book%20customer%20hi-res.pdf.
Terminal Services and Rights Management Services technology is explained in the Mar. 2008 Research Report, "Windows Server 2008: An Important Upgrade."
Terminal Services' license tracking capabilities are explained in depth in "Windows Server 2008 TS Licensing Step-By-Step Guide" available at go.microsoft.com/fwlink/?LinkID=87348.
Changes to licensing due to increased use of virtualization are detailed in "Server Virtualization Rules Relaxed" on page 27 of the Sept. 2008 Update, "Virtualization Licensing Adapts to New Challenges" on page 46 of the June 2007 Update, and "Licensing Retooled for Server Software on Virtual Systems" on page 34 of the Nov. 2005 Update.
Rules governing the reassignment of server application and External Connector licenses between physical machines are detailed in the Aug. 2008 licensing brief "Application Server License Mobility," which is available via a link on the Volume Licensing Briefs page at www.microsoft.com/licensing/resources/volbrief.mspx.