Solved

Where to find CALs in use

Posted on 2014-07-29
12
1,352 Views
Last Modified: 2014-07-30
Guys, I could use some help here. I am been audited by Microsoft and am not sure what to respond to the question:

4.5 Server Application Installed / In Use:

1) Core/Enterprise
   1.1.) Enterprise Device CAL
   1.2.) Enterprise User CAL
   1.3.) Core Device CAL
    1.2.) Core User CAL


My questions:

1) What is Enterprise Vs Core?
I have "Windows Server - User CAL" (and am running WIn 2008 Enterprise) - in this case should I put Standard User CAL or Enterprise User CAL?
2) It says Server Applications Installed - if i currently have 30 CALs in use but have paid for 100 CALs - should I put here 30 or 100. It says installed so I assume they are interested in what's in use? Otherwise they have the total number on the Volume Center' site so makes no sense to ask me about this.
3) Is there anyway to find out how many CALs are in use on Exchange Server 2007, WIndows Server 2008 R2 and Windows Server 2003? I think I have seen this in earlier server versions but could not find it anywhere now.

Thank you in advance!!!!
0
Comment
Question by:Cozumel
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
Comment Utility
Microsoft has CAL Suites bundle multiple products together.

There is a core CAL suite. And an enterprise CAL suite. *that* is what they are asking for. It doesn't sound like you have either one, so the answer to both of those specifically is zero.

When dealing with a Microsoft audit, always answer what your documentation says you should have in use. If you have 28 users and 2 machines that are kiosks that guests can use, you'd probably want to claim 28 user CALs are in use and 2 device CALs are in use. And if you don't *have* device CALs, Microsoft will ask you to buy them to "true up" and get legit. But if you try to pull these numbers from a dashboard, Microsoft will inevitably ask you where you got your number and you can find yourself in some punitive damage.  

CALs should *always* be tracked in a spreadsheet. You "assign" a CAL to a user or a device. That's just a column in a spreadsheet, the type of CAL can be another column, and then you can easily calculate totals. Tracking CALs has always been a paper/honor system, but being able to show legitimate documentation is an important step during an audit to show that you *were* following the honor system as intended.

Now a quick mention. There are different kinds of audits (and no, MS will not necessarily tell you what they are auditing. You could just be a standard audit that Microsoft does at random for VL customers, just like the IRS does random audits and some basic questionnaire answers is enough. But they may have seen a red flag (too many activations using the same key, or a disgruntled employee filed a complaint to the BSA) in which case they may request you run an audit utility. Sometimes this data gathering agent is even left in place to collect data for a week. It correlates data from the event logs and if they can't find a way to make the numbers it spits out match the numbers you gave them....it gets ugly. Which is where having that spreadsheet is handy. They'll say "we saw user X sign into machine Y" and you have a spreadsheet that shows user X (or machine Y) was covered by a CAL. And if you can't produce that, they assume you need to buy a CAL and can slap you with a noncompliance fine on top of it.

So don't look for numbers in a dashboard. Actually create this documentation if you don't have it. And use *it* to report your numbers. And don't try to fudge them. If, while creating the documentation, you find you are out of compliance, get true NOW. Be honest about it and MS is very good at working with customers trying to get genuine.

SBS 2003 kept an estimated count. No edition of Server 2008 or higher does. I don't recall anything in Exchange that counds standard licenses, only enterprise CALs (based on whether the archiving or unified messaging role was turned on for a mailbox) which still doesn't cover room mailboxes, etc. So yes, you may have seen something in a dashboard. But don't rely on that (am I repeating myself enough yet?) Hopefully I've been able to stress that point enough...

Since you filed this under the topic of "consulting" I'll also say that this type of documentation is something you should always do for regular clients. Make it part of your onboarding process. It should also be a part of any sale if you sell CALs. That's how you figured out how many CALs to purchase after all, so you should already have that info. If they aren't under contract then obviously you don't need to keep it up to date for them, and you can't force them to. But then if they get audited, updating the documentation is billable hours. And equally importantly, you aren't responsible if they hired more employees and didn't buy more CALs. But if you report to MS incorrectly and it is your signature on the forms, you share liability...even as a consultant. So really, do this. Bill for it if necessary. But do it.

I deal with a lot of MS audits. Some for my regular clients, and some I get called in on because of my reputation as a Microsoft MVP, and I stand by this advice and how to handle an MS audit. It has survived the test of time.

-Cliff
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
Been there, done that.  What you should do is install MS MAP.  What you need to do is do an audit with MAP and it will giver version and edition of servers as well as client PCs, active mailboxes, etc.  just a word of caution, they will try to nail you on SQL licenses and virtualization.  It might be a good idea to negotiate for Enterprise Agreement (EA).  Here is a scenario for you:

You have 300 clients where they connect to 5 different SQL servers ranging from version 7 to 2012.  Regardless of how many CALs you have, you need SQL server 2012 CALs (highest version of Server is what you need CALs for and same for Windows server).  If your SQL server 2008 or higher is installed in a virtualized environment then you better have Software Assurance in order to move VM from one host to another. MAP could greatly help you but try not to share the results with MS or else you will be opening a can of worms.
0
 
LVL 24

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 150 total points
Comment Utility
As of Windows Server 2003 (or is it 2008), CAL usage is an honor system and there is no track how many Windows CAL you are using.
0
 

Author Comment

by:Cozumel
Comment Utility
Well I don;t mind counting CALs but the thing is I am not sure what else to count besides the users, do I count MFP and other devices, system accounts for backup and other jobs? Or these are strictly end (human) user CALs they ask for?
Also if I have a file server - do I need separate CALs for that server as well?
Cliff - I think I need to report users CALs - I was asked to purchase those when I got the server software, so I assume I'll just count the active users in AD?

Mohammed: We don't have SQL so that's good.
I noticed the option to install their agent but am afraid it might report something to them directly so not a big fan of it before I get an idea of the situation.
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 100 total points
Comment Utility
If all your users have User CALs then your devices (MFPs, etc) DO NOT need CALs.  
Further (and this might have been mentioned) User CALs are NOT assigned to ACCOUNTS.  They are assigned to human beings.  You could the number of employees by Human Being who use the systems.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
A user is any physical human that uses a resource on a server. One human *may* have more than one AD account, but they would only require one user CAL in such an instance.

A device is the same way. One device is one physical "thing" on the network that accesses the server. A business can choose to license itself using user CALs only, device CALs only, or a mix of both to best fit their needs.

Take a library. A library may buy user CALs for their staff, so their staff can use multiple devices. User CALs make more economical sense. But they may have a few machines that anyone from the public can come in to use to browse the internet and do research. And those machines may still have access to "stuff" on the library servers, like an intranet card catalog. You can't realistically buy user CALs for every member of the public that might come in off the street, so you'd probably buy a device CAL for those machines.

MFPs fall in that category. If an MFP is *only* used by staff that already has user CALs, their user CAL already covers the windows access they might be using from the MFP. But if the MFP might be used by a guest then user CALs don't make sense and you might want to have a device CAL "assigned" (on paper) to that device.

These types of scenarios are particularly pertinent when businesses set up guest wifi networks. If the guest wifi device can reach the server, even for simple things like DHCP, it would need to be covered by some sort of CAL. I've seen businesses get heavily dinged just because they weren't paying attention to licensing.

So no, you usually don't need to count system accounts (I say usually because, there is always that case where a system account facilitates another device, like a security camera...and the camera still needs a CAL), but other devices may or may not need a CAL depending on how they are used. Licensing is not overly difficult, but it *does* require active planning and can't be done ad-hoc. Which is why accurate documentation is important.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:Cozumel
Comment Utility
Thank you both for your input, so just one last clarification:

For the question below, if I have let's say 30 active Users CALs who access AD on my 2008 server, should I put those under Enterprise User or Core User? this is the exact name of the license from the Volume Center: "Windows Server - User CAL"


4.5 Server Application Installed / In Use:

1) Core/Enterprise
   1.1.) Enterprise Device CAL
   1.2.) Enterprise User CAL
   1.3.) Core Device CAL
    1.2.) Core User CAL
0
 

Author Comment

by:Cozumel
Comment Utility
Lee, the reason I asked for MFP is that they have mailboxes on my exchange server, so I am not sure if those count against my Exchange CALs.

Do you guys know if Microsoft MAP Toolkit reports directly to Microsoft? I'd like to give a shot but am a bit concern for sending data to them without my knowledge.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
MAP tool DOES NOT report directly to Microsoft.  Shared mailboxes, service accounts, auto-generated emails/batch mailboxes are not considered to have a CAL.  Only 1 CAL is required for a physical human/computer (based if you have user/device CALs) regardless of mailboxes they connect to, SQL servers they connect to or file & print servers they connect to.  There is no such thing as Enterprise Windows CALS, Windows CAL is Windows CAL.  You pay more for the different edition for different features.  With SQL and Exchange it is different.
0
 

Author Comment

by:Cozumel
Comment Utility
Mohammed, you say "there's no such thing as Enterprise Windows CALS" - but this is from Microsoft's form I am filling in right now - it's either Enterprise or Core User CAL so I am baffled.

  1.1.) Enterprise Device CAL
   1.2.) Enterprise User CAL
   1.3.) Core Device CAL
    1.2.) Core User CAL
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
As I said be for, a windows CAL is neither of those. There is such a thing as a core CAL suite and also an important enterprise CAL suite, but that isn't what you have. So your count for those is zero.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
As he mentioned he has access to MVLS and does not have EA, therefore he doesn't own any Enterprise CAL.  Below is a clear description of the two:

CORE CAL SUITE
- Windows Server CAL
- SharePoint Server Standard CAL
- Exchange Server Standard CAL
- System Center Configuration Manager Client Management License
- System Center Endpoint Protection (Anti-virus and subscription service)
- Lync Server Standard CAL

ENTERPRISE CAL SUITE
- All of the components of the Core CAL Suite
- Exchange Server Enterprise CAL with Services
- Exchange Online with archiving
- SharePoint Server Enterprise CAL
- Lync Server Enterprise CAL
- Windows Server Active Directory Rights Management Services CAL
- System Center Client Management Suite consisting of Operations Manager, Service Manager, Data Protection Manager and Orchestractor
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Whether you believe the “gig economy,” as it has been dubbed, is the next big economic paradigm shift (https://www.theguardian.com/commentisfree/2015/jul/26/will-we-get-by-gig-economy) or an overstated trend (http://www.wsj.com/articles/proof-of-a-g…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now