The Scourge of CALs

[USMCGrunt]

Alright guys, we are getting close to deployment but we have lingering questions and unfortunately, the licensing rep I am talking to seems to be completely worthless in this matter.

We are getting a new server that will have Server 2012 installed.
We are going to put it on the network, make it a DC functioning at a 2003 level.
We will then move the roles from three different 2003 machines onto the 2012 server.
Once that is complete, we are going to offline the 2003 machines and then up the domain's functional level to 2012.

With the domain functioning at 2003 levels, CALs are not required but, when we up the domain level, the 2012 server is going to need CALs. My questions relate specifically to the transitioning from 2003 up through to 2012. How are CALs managed, where can I view them, what can we expect to see happen when we bump the functional level up, does it prompt for the CALs, etc...

When given the same information, I got this as a reply:
"The customer needs a Server 2012 CAL when the customer accesses as Server 2012 server, regardless of the AD scheme level. Also, there is no software attached to the CAL. It's a license granting access, without any need for management."

On another network I have two 2012 servers running and functioning at 2003 levels and did not purchase any CALs or even specify in what manner the CALs would function, device or user. These servers serve roughly 50 individuals and work just fine. Because of this, I was under the assumption that CALs are not needed for a domain functioning at 2003 level with Server 2012 operating systems but, based on the information provided by the licensing rep above, it sounds like licensing isn't required by the operating system to actually function, its more a matter of legal rights to software usage.

Can someone provide something for me here, cause I feel like I'm just chasing my tale.

 

[MrMike]

On another network I have two 2012 servers running and functioning at 2003 levels and did not purchase any CALs or even specify in what manner the CALs would function, device or user. These servers serve roughly 50 individuals and work just fine. Because of this, I was under the assumption that CALs are not needed for a domain functioning at 2003 level with Server 2012 operating systems but, based on the information provided by the licensing rep above, it sounds like licensing isn't required by the operating system to actually function, its more a matter of legal rights to software usage.

That is correct. Every user or device must have a CAL. Pick one, that's how you license, and you don't input key codes or software anywhere.

There should have been Server 2003 CALs for the previous servers. Upgrading to Server 2012 requires new CALs entirely, so the other environment needs 50 CALs for the users, or less if there's less devices and more users per device.

 

[bigdogchris]

"The customer needs a Server 2012 CAL when the customer accesses as Server 2012 server, regardless of the AD scheme level.

This doesn't sound like licensing isn't required for 2012 if you're running at 2003 level. Server 2012 would have features available that you gain access to even at 2003 level.

CALs are version specific. They must be the same version or later than the server software being accessed.

Also, when 2008 came out, they specifically said you need 2008 licenses (except for Web and external services) and that 2003 R2 are not legal to use when accessing 2008 software. I see no reason why that has changed with 2012.

If you want to use 2003 CALS you must downgrade the OS. That means, you buy 2012, but install 2003. Key is available in volume license center, if you don't have volume licensing I have no idea where you get a key from.

As for managing CALS, I know 2003 prompted you to choose CAL type, but that's done away with. If you're just using directory services, you just buy the rights and keep track of them. It's an honor system.

One last thing. If you are adding a 2012 server to the domain you need to ADPREP. You have to have this done before joining the server.

 

[USMCGrunt]

So....I understand the idea of licensing and copyright and all that but....that's all im seeing it being here...a big haze of nothing. If I'm hired onto a new network that has zero documentation, where can I go on the server to figure out how many CALs are licensed for the server, where can I go to determine if the server is operating in User or Device mode?

 

[MrMike]

So....I understand the idea of licensing and copyright and all that but....that's all im seeing it being here...a big haze of nothing. If I'm hired onto a new network that has zero documentation, where can I go on the server to figure out how many CALs are licensed for the server, where can I go to determine if the server is operating in User or Device mode?

With regards to the number of CALs that are licensed, it's not per-server. A user or device having a CAL is allowed to access any server appropriate for said CAL. Therefore, you need CALs equal to your number of devices or employees using said devices.

You should have purchase history in the Microsoft Volume Licensing Center, which is where you get your keys and downloads from.

 

[USMCGrunt]

With regards to the number of CALs that are licensed, it's not per-server. A user or device having a CAL is allowed to access any server appropriate for said CAL. Therefore, you need CALs equal to your number of devices or employees using said devices.

You should have purchase history in the Microsoft Volume Licensing Center, which is where you get your keys and downloads from.

Ugh....yes I understand how a CAL works...I want to observe a CAL on the server. I'm looking for tangible evidence of them....its like I'm hunting for big foot. There's gotta be something that points the server at a CAL or a database stored somewhere on the server, otherwise, what's to stop people from running as many computers as they want without paying for the additional licensing?

Also, being that I DID take this network over and its got near zero documentation, I don't have access to VLSC yet to identify how many CALs I DO have.

 

[MrMike]

I apologize if I'm coming across as condescending as I'm not trying to be.

Ugh....yes I understand how a CAL works...I want to observe a CAL on the server.

I'm not sure that you do, and that's why I am attempting to explain. If you understood how a CAL works, you would know there is no way to observe a CAL on a system.

I'm looking for tangible evidence of them....its like I'm hunting for big foot. There's gotta be something that points the server at a CAL or a database stored somewhere on the server, otherwise, what's to stop people from running as many computers as they want without paying for the additional licensing?

There is nothing, it is the honor system basically.

Also, being that I DID take this network over and its got near zero documentation, I don't have access to VLSC yet to identify how many CALs I DO have.

How do you know how many licenses of anything you have, including Windows Server or even Office then?

 

[USMCGrunt]

I apologize if I'm coming across as condescending as I'm not trying to be.



I'm not sure that you do, and that's why I am attempting to explain. If you understood how a CAL works, you would know there is no way to observe a CAL on a system.



There is nothing, it is the honor system basically.



How do you know how many licenses of anything you have, including Windows Server or even Office then?

No, I don't take it as condescending at all actually and maybe your right that I don't understand how they work. I find it especially hard to see any modern software company, ESPECIALLY Microsoft, employ an honor system for software licensing.

I DONT know how many licenses of anything I have, this network is....bad...really, bad. There is limited documentation and there's been new discoveries nearly weekly on new infrastructure devices on the network. Somebody took the book on standards and policy, ripped it in half, burned it, and roasted marshmallows over the flames.

 

[bigdogchris]

When you're talking about basic server CALS, there is no "place to go" to find out what was purchased other than referring to the documentation of the company. If they haven't kept track of that stuff, the best advice I can tell you is to contact all of the companies that this business has purchased from and ask for a purchase history.

 

[Haven]

In older versions of Windows you had to enter CALs into License Manager. With 2008 and forward you don't have to do that anymore. You only need the CALs for showing the BSA if they stop by to ask for your papers.

 

[USMCGrunt]

In older versions of Windows you had to enter CALs into License Manager. With 2008 and forward you don't have to do that anymore. You only need the CALs for showing the BSA if they stop by to ask for your papers.

huh....interesting....just checked our one 2003 installation and the licensing service is shut off...fantastic....another case of software pirating on this network....ridiculous how many shortcuts my predecessors took.

Who/What is the BSA?

 

[bigdogchris]

So check this out, from HP. 2003 CAL is not legal to be used accessing a 2003 VM on 2008 or higher physical hardware, but 2008 CAL is legal to be used accessing a 2008 VM on 2012 hardware. The exception is if you use the Hyper-V stand alone program, then you don't need to upgrade the licenses.

I wonder if this is because 2008/2012 includes at least 1 VM license (or more) where Server 2003 did not include a VM license?

96. If I move an instance of Windows Server 2003 to run as a virtual instance on a server with Windows Server 2008 R2 Enterprise Edition running in the physical OS environment, can I use Windows Server 2003 CALs to access the virtual instance of Windows Server 2003?
No. Because the virtual instance of Windows Server 2003 runs on a Windows Server 2008 R2 license, the user or device accessing the virtual instance of Windows Server 2003 needs a Windows Server 2008 CAL.

98. If I move an instance of Windows Server 2008R2 to run as a virtual instance on a server with Windows Server 2012 running in the physical OS environment, can I use Windows Server 2008 CALs to access the virtual instance of Windows Server 2008?
Yes. When accessing Windows Server in a VM, the version of the CAL may be the same or later as the version of Windows Server in the VM.

 

[USMCGrunt]

So check this out, from HP. 2003 CAL is not legal to be used accessing a 2003 VM on 2008 or higher physical hardware, but 2008 CAL is legal to be used accessing a 2008 VM on 2012 hardware. The exception is if you use the Hyper-V stand alone program, then you don't need to upgrade the licenses.

I wonder if this is because 2008/2012 includes at least 1 VM license (or more) where Server 2003 did not include a VM license?

Q&A 98 contradicts Q&A 96, sounds like a case of someone answering questions who doesn't entirely know how the system works, is trying to skew the truth and getting caught up in their lies, or its just a case of money grabbing, at least that's the way it sounds to me. I would go with the answer for 98 as it generalizes the question at hand and, being this is a Q&A, it's not reasonably expected that a person read every single question asked.

 

[bigdogchris]

Q&A 98 contradicts Q&A 96, sounds like a case of someone answering questions who doesn't entirely know how the system works, is trying to skew the truth and getting caught up in their lies, or its just a case of money grabbing, at least that's the way it sounds to me. I would go with the answer for 98 as it generalizes the question at hand and, being this is a Q&A, it's not reasonably expected that a person read every single question asked.

I got it from HP, but the information is from Microsoft, so it is accurate.

 

[jpochedl]

huh....interesting....just checked our one 2003 installation and the licensing service is shut off...fantastic....another case of software pirating on this network....ridiculous how many shortcuts my predecessors took.

Who/What is the BSA?

The BSA is the Business Software Alliance ... They're a company setup by Microsoft, Adobe, and others who are the one who will pay "rewards" for people to report software piracy... Then they come knocking on the door, saying "prove you've purchased all the software you're using from Microsoft, Adobe, etc (which if you read any EULAs from these companies, they have the right to request this proof at any time) ... Some people like to think of them as the legal mob enforcers of the software world....

http://www.bsa.org/

Basically, all it takes is a disgruntled employee to give the BSA a call. When the BSA comes calling, it's on you to run the audit (at your expense) and provide all the paperwork they request. At that point you either have your paperwork and licenses in order, or you get to buy everything to get up to snuff and pay a nice fine to go along, or they take you to court and charge you with software piracy (at which point the bill is going to be even bigger).

As others have said, CALs are still basically on the honor system. It's odd but true. The same is true for other MSFT CALs too (Exchange, SQL, Sharepoint, Lync, etc). Hopefully somebody, somewhere, either has the login to the Volume Licensing site and the Open License numbers, or copies of all the purchase information stuffed in a file cabinet somewhere. (or if the software was actually purchased one-off, not through a Volume / Open License, maybe the actual CAL certificates are stuffed in a drawer). II know it's not fun, I've been through the process of hunting through file cabinets to find random paper licenses and to organize it all.....

If you don't have this info, then you need to raise the flag with management. Make them aware of the risks they run by not having this info properly managed and maintained. Then do everything you can to make it better.

Good luck to you.

 

[USMCGrunt]

The BSA is the Business Software Alliance ... They're a company setup by Microsoft, Adobe, and others who are the one who will pay "rewards" for people to report software piracy... Then they come knocking on the door, saying "prove you've purchased all the software you're using from Microsoft, Adobe, etc (which if you read any EULAs from these companies, they have the right to request this proof at any time) ... Some people like to think of them as the legal mob enforcers of the software world....

http://www.bsa.org/

Basically, all it takes is a disgruntled employee to give the BSA a call. When the BSA comes calling, it's on you to run the audit (at your expense) and provide all the paperwork they request. At that point you either have your paperwork and licenses in order, or you get to buy everything to get up to snuff and pay a nice fine to go along, or they take you to court and charge you with software piracy (at which point the bill is going to be even bigger).

As others have said, CALs are still basically on the honor system. It's odd but true. The same is true for other MSFT CALs too (Exchange, SQL, Sharepoint, Lync, etc). Hopefully somebody, somewhere, either has the login to the Volume Licensing site and the Open License numbers, or copies of all the purchase information stuffed in a file cabinet somewhere. (or if the software was actually purchased one-off, not through a Volume / Open License, maybe the actual CAL certificates are stuffed in a drawer). II know it's not fun, I've been through the process of hunting through file cabinets to find random paper licenses and to organize it all.....

If you don't have this info, then you need to raise the flag with management. Make them aware of the risks they run by not having this info properly managed and maintained. Then do everything you can to make it better.

Good luck to you.

Awesome....I knew this network was a time bomb...that's just another hidden trigger on it, lol. Thanks for the information guys.

 

[USMCGrunt]

In case you guess are interested in knowing, I said screw it and made an image of a setup machine and copied that image over. A few things I found out in regards to the Windows Key being burnt into the BIOS:

Dell doesn't have any place in BIOS to directly observe it, at least not on OptiPlex 3010s.
While the key IS in BIOS, Windows also stores a copy of it locally.
Though the key is stored locally, when a Windows installation goes to activate itself, it checks the key that's stored in BIOS and if it is different than the locally stored key, it will overwrite the local stored key with what's in BIOS. When I say local, I mean where ever Windows stores its key (registry im guessing).

That last point leaves me wondering what happens if for some reason you want to change your key or installation type, will it always overwrite and ignore any user input data and the future implications of that.

 

[bigdogchris]

In case you guess are interested in knowing, I said screw it and made an image of a setup machine and copied that image over. A few things I found out in regards to the Windows Key being burnt into the BIOS:

Dell doesn't have any place in BIOS to directly observe it, at least not on OptiPlex 3010s.
While the key IS in BIOS, Windows also stores a copy of it locally.
Though the key is stored locally, when a Windows installation goes to activate itself, it checks the key that's stored in BIOS and if it is different than the locally stored key, it will overwrite the local stored key with what's in BIOS. When I say local, I mean where ever Windows stores its key (registry im guessing).

That last point leaves me wondering what happens if for some reason you want to change your key or installation type, will it always overwrite and ignore any user input data and the future implications of that.

Just an FYI, I never said what you're doing isn't possible, I just said it was illegal. I know it's stupid, but it's Microsoft's rules.

But yes, Windows 8 is a little different. In Windows Vista & 7, a certificate file is included on the DVD and when installed, lookss at the BIOS to activate. If no OEM certificate is present, you are not activated and must insert the key which people have to do if they don't have the original install media. Windows 8 works in a similar way but the keys are programmed into the bios and are unique per machine, so it detects when you install the OS and you never have to insert a key. It also detects and installs the proper version of Windows. I imagine when you upgrade your version of Windows that it must block the detection from the BIOS some how so your upgrade stays in place.