Compliance Audit Preparation for Microsoft Server Products (Windows, SQL, Exchange)

Released September 2012, Updated March 2013 | by Johannes Balzer

OMTCO - Compliance Audit Vorbereitung fuer Microsoft Server Produkte Windows SQL Exchange

Content

Executive Summary
Introduction
I.) Collecting Technical Data
II.) Collecting Commercial Data
III.) Compliance and Licensing Strategy
Conclusion And Outlook
Technical Appendix– License Demand of Windows Server Within Clusters
 

Download PDF Version

Executive Summary

OMTCO’s client, a German-based industrial group (client modified) with worldwide operations, initiated a compliance audit of Microsoft server products. Our client asked OMTCO to review the compliance of the three main Microsoft server products in use: Windows Server, SQL Server and Exchange Server.

The following report shows how customers should prepare for a Microsoft compliance audit, and how we conducted the compliance review, from collecting data to producing the compliance balance. Moreover, we also give advice regarding the licensing of Microsoft Windows Servers in virtual environments.

The report is presented in three chapters:

  • Chapter (I.) deals with technical data (installations). Technical data generates the demand side of the compliance balance, associated with software installations. Server lists and technical documentation already in use within the IT department may be used as initial licensing documentation. Missing data, mandatory for licensing, may be supplemented by the outputs of administration commands.
  • Chapter (II.) examines commercial data (licenses). Commercial data constitutes the supply side of the compliance balance, associated with software licenses. Microsoft licenses may be missing in the Microsoft Volume Licensing Service Centre (MVLSC), especially for organizations with strong outward growth. Customers should communicate license transfers via the Microsoft License Transfer Form. In that case, we advise to collect and structure supporting documentation.
  • Chapter (III.) presents the compliance balance. The compliance position is determined by matching the license demand (technical data) and the effective license position (commercial data). Customers should align their licensing strategy with their overall IT strategy to optimize their licensing costs and risk.

In the Appendix we give valuable advice regarding the licensing of Microsoft Windows Server, outlining selected licensing pitfalls in virtual environments. We demonstrate the increased compliance risk resulting from virtualization.

Should you have any questions, please contact OMTCO; contact details are listed at the end of this report. For those executives interested in sharing their thoughts on licensing, Software Asset Management or compliance audits, we highly welcome your feedback and comments.

 

Introduction

The following Microsoft server products were selected and given priority for the compliance review:

  • Microsoft Windows Server
  • Microsoft SQL Server
  • Microsoft Exchange Server

This report deals exclusively with the licensing of server installations. Client Access Licenses (CALs), subject to different licensing requirements, will be dealt with in further publications.

OMTCO’s Microsoft licensing experts were given several roles to accelerate the speed of the work, all in close cooperation with the client’s team. We brought in our Microsoft licensing expertise; we supported the data collection and analyzed the data relevant to licensing; we generated the compliance balance of the selected server products; and we identified and outlined the possible optimization of licensing costs and risk.

The following selected server products were analyzed, and all installed versions and editions were identified and taken into account:

  • Microsoft Windows Server 2003, 2008 and 2008R2 – Standard and Enterprise Editions
  • Microsoft SQL Server 2000, 2005, 2008 and 2008R2 – Standard and Enterprise Editions
  • Microsoft Exchange Server 2007 – Standard Edition

 

I.) Collecting Technical Data

1.) Specifying Installations And Licensing Attributes

In this first step, as a matter of urgency we were given access to server lists and technical documentation already in use within the IT department.

This documentation, which had been created by the server administrators –exclusively for the purpose of server administration – contained valuable technical details on the software installations as well as information on the infrastructure, such as hardware in use and virtualization, and information on application operations such as load balancing or high availability.

We were therefore able to extract from this documentation part of the data – but not all – required in the licensing of Microsoft Windows, SQL and Exchange Servers. This documentation was subject to two major issues:

  • Missing data – some mandatory licensing data was missing and had to be identified;
  • Legacy documentation – some of the data was not current and had to be verified.

Missing Data Must Be Identified

The documentation was missing some of the information mandatory for licensing concerning installations and licensing attributes:

  • Installations – the product name of the installed software was often incomplete, sometimes wrong, e.g. missing edition or version; and
  • Licensing attributes – rarely were all attributes mandatory for licensing collected, i.e. processors, cores, etc.

The mandatory information for licensing depends on the product, edition and version in use, on the customer’s infrastructure and on the application operations. It comprises:

  • Installations – the complete and correct name of the software products installed, including edition and version, and allocation to virtual and physical hosts; and
  • Licensing attributes – the licensing attributes associated with the installations.

Note: Please consult the relevant Product Use Rights (PUR) and further Microsoft licensing documentation for the licensing requirements applicable to your specific set of products, infrastructure and application operations. Information on installations is straightforward and only requires listing software installations – accounting for different products, editions and versions – and allocating software installations to virtual and physical hosts (devices), uniquely identified with their host IDs. This task is best performed based on the output of a software scan tool, scanning registries, executable files, etc. Supplementary information may also be collected for the purpose of cost allocation, such as the allocation of devices to a legal entity, cost center or geographical area. Although this information is not mandatory for licensing, it permits the allocation of costs internally.

Licensing attributes are, on the other hand, much more complex to deal with. The relevant licensing attributes depend on the products installed and must be identified.

For instance, the licensing attributes relevant to the server installations of the Microsoft Server products considered here are attributes to do with hardware and virtual environments, including, but not limited to:

  • CPUs – Number of CPUs, relevant to CPU-based metrics, for instance for SQL Server Enterprise or Windows Server Datacenter;
  • Cores – Number of cores per CPU (in the case of hyper-threading, also the number of threads per core), relevant, for instance, to SQL Server Enterprise licensing in virtual environments;
  • vCPUs – Number of logical CPUs (vCPUs), relevant, for instance, to SQL Server Enterprise in virtual environments;
  • VMs – Allocation of virtual machines (VMs) to devices (physical hosts), including the mode of operations (dynamic vs. static allocation);
  • Further relevant attributes – specifically depending on the product, the edition and the version.

We encourage all Microsoft customers confronted with a compliance review to verify which attributes need to be taken into consideration for their specific installations and infrastructure. Licensing attributes vary depending specifically on the product, the edition and the version, and should be clarified in a client’s particular situation, including the client’s infrastructure and application operations. One pertinent example is Microsoft SQL Server, for which the relevant licensing attributes depend on the product edition and version, and on hardware attributes – including activated hyper-threading technology (HTT) – and on application operations in active/active or failover cluster scenarios.

Data From Legacy Documentation Should Be Verified

Some of the data was clearly not up to date, and suspected to be unreliable. This is generally caused by IT project documentation being constituted for planning and approval purposes and not being actualized, regularly. Consequently, deviations in infrastructure and operations in day-to-day operations are often not documented properly. Should a client extract the licensing attributes from legacy documentation, they may be wrong and it may not reflect real usage.

We encourage clients to reflect any licensing data extracted from technical documentation back to the owners of the data – in most cases, the IT and application administrators – for verification.

 

2.) Collecting Missing Technical Data

The collection process was entrusted to the IT server administrators, as they had immediate access to the IT infrastructure and the credentials necessary to collect the information. Furthermore, involving the IT administrators lead to a more comprehensive understanding and acceptance regarding the challenges of license management, thus a higher level of support for the data collection.

The data collection has to be performed manually if there is no software scan tool in use. In this situation, OMTCO licensing experts provide clients with administration commands and instructions on how to generate console outputs and screenshots to determine CPUs, cores and cluster/host relationships (vCPUs). Subsequently, we usually have to clean out the collected data of any flaws (for example, hyper-threading, deactivated cores, etc.). We must note here that clients should resist the temptation to leave these flaws uncorrected – as not performing this task generates unnecessary licensing costs, much higher than the cost of correcting.

Furthermore, in the case of servers in clustered environments, supplementary information about the allocation of virtual machines to hardware has to be gathered, as the licensing of Microsoft Server products is closely linked to the physical environment. This information is mandatory as it has a direct impact on license demand. The impact of virtualization on licensing depends highly on the edition and the version in use. For instance, the licensing of Microsoft Windows Server in virtual environments differs slightly in the Standard and the Enterprise editions, which themselves differ notably from the Datacenter edition. The release of version 2012 of Microsoft Windows Server shows new changes in the involvement of virtualization.

To wrap up gathering the technical data, we analyzed the advantages and drawbacks of the scan solution MAP Toolkit (Microsoft Assessment and Planning Toolkit) for our client, as a first, easy step towards IT environment scanning.

No scan tool should be expected to perform at 100%; however, a scan tool definitely improves the automation ratio and reduces – but does not eliminate – subsequent manual data collection. Scan tools especially perform well when it comes to listing software installations of classical products and host IDs. Most scan tools, however, do not perform particularly well when it comes to reporting hardware environments and virtualization (host/cluster relationships).

MAP Toolkit has major limitations – but it is free, agentless and easy to deploy. It provides an easy solution to scan Microsoft server products in different environments. Should you wish to learn about the advantages and drawbacks of various scan solutions, please contact OMTCO.

 

II.) Collecting Commercial Data

1.) Microsoft Volume Licensing Service Centre (MVLSC)

Microsoft provides valuable support to its customers to manage their license estate by providing the Microsoft Volume Licensing Service Center (MVLSC). The MVLSC captures customers’ Microsoft license estates. However, some licenses may not show in the MVLSC.

Some Licenses May Not Show In MVLSC

One of the most frequent reasons of licenses not showing in MVLSC is that many clients have coined their international presence with strong, outward growth. Mergers and acquisitions have led to patchwork corporations, made of independent, self-contained subsidiaries – with heterogeneous infrastructures and license estates.

Mergers and acquisitions, and the subsequent license transfers, may not all be communicated to Microsoft via the Microsoft License Transfer Form. As a result, licenses from acquired subsidiaries do not show in the group’s Microsoft Volume Licensing Service Centre (MVLSC).

There are further various reasons why licenses could be also missing in MVLSC:

  • Maverick Buying – Licenses purchased aside purchasing processes may be outside of Microsoft Volume Licensing;
  • OEM licenses – OEM licenses are not reflected in MVLSC, for instance Windows Server OEM licenses;
  • FPP licenses – Full Package Products, available for some selected products, for instance the Office product family, are not reflected in MVLSC;
  • Acquisitions – Licenses of subsidiaries acquired by a group, for which the Microsoft License Transfer Form has not been sent to Microsoft, will not appear in the MVLSC (but perhaps in their own MVLSCs, if they had contracted Volume Licensing).

Customers Should Let Incompliance Be Borne Fairly By Those At Fault

We encourage our clients to have the respective incompliance borne fairly by those at fault. In this case, we need to gather further information on the allocation of infrastructure and license estates to cost centers in order to produce compliance balances for each cost center and allocate costs between countries/legal entities.

This also helps to identify unknown licenses, as organizational units, which see incompliance costs (financial penalty to reestablish compliance) as a threat, are willing to search extensively for unknown licenses. Indeed, licenses were found. This applied to both licenses purchased outside of official purchasing processes (so-called Maverick Buying) as well as licenses purchased before a respective company was acquired by our client (and thus recorded in a different MVLSC).

 

SIDE NOTE – The Microsoft Volume Licensing Service Center (MVLSC)

Microsoft provides valuable support to its customers (Volume License customers only) by reporting and managing their Microsoft license estate in the Microsoft Volume Licensing Service Center (MVLSC).

As a Microsoft Volume License customer, you have access to your MVLSC. MVLSC provides reporting and managing functions associated with your license estate, such as reporting the purchased licenses from Volume License contracts, downloading Microsoft software and retrieving installation keys.

MVLSC provides a good foundation for the inventory of your licenses and gives you the ability to compare with your own documentation. However, from our experience of compliance reviews, MVLSC is usually incomplete and does not contain the whole license estate. This is especially the case when the purchasing processes or order systems have changed in the past, were not abided by, or when your company has acquired external companies.

Ask your Microsoft key account manager to provide you with your MVLSC. You can then supplement it with missing licenses. Overall, this will provide you with the Microsoft License Inventory Report for your company.

 

2.) Supporting documentation

As entitlements were missing from the Microsoft Volume Licensing Service Centre (MVLSC), we suggested analyzing supporting documentation. This is comprised of:

  • Internal documentation – documents within the Microsoft customer’s administration, such as purchase orders and payment documentation;
  • External documentation – documents usually generated by Microsoft/Resellers themselves, such as invoices or delivery notes.

It is important to note that supporting documentation – such as purchase orders, invoices, delivery notes – does not constitute a Proof of Entitlement (PoE).

A Proof of Entitlement (PoE) is a certificate or any other appropriate document, delivered by the vendor to the licensee. The PoE confirms the eligible product and the level of use and includes usually references (order or customer number).

Microsoft requires that defined Proofs of Entitlement are gathered in order to prove the existence of valid licenses. These PoEs depend on the license type and the product and may include various documents, for instance product documentation (manuals), media (CDs/DVDs), original stickers (placed on hardware for OEM licenses), etc.

Supporting documentation is not a Proof of Entitlement; however, Microsoft has shown fairness and accepted supporting documentation in many compliance audits – that we know of – as a substitute to the PoEs, as long as several requirements are fulfilled.

These requirements concern the whole picture of the supporting documentation, such as the consistency and pertinence of the documentation, and the transparency of the documentation process. They also concern the structuring of the documentation to support verification, involving documentation from external parties – such as software resellers – reviewed through an independent advisor specialized in Microsoft licensing.

As a result, a combination of internal documentation (not issued by the vendor, e.g. purchase orders, delivery from hardware OEM vendors, software reseller delivery notes) and external documentation (issued by the vendors or its software resellers, e.g. invoices/delivery notes) were taken into account pragmatically, and were recognized by Microsoft.

It has been proven many times that customers may approach Microsoft with a pragmatic solution based on internal or external documentation and subsequently avoid the burden of collecting physical PoEs as theoretically demanded by Microsoft licensing requirements. In many cases, we do not recommend our clients to gather physical PoEs, such as copies of OEM stickers on hardware, full sets of manuals, media DVDs, etc. to prove licenses – as this is not feasible anyway.

In this case, supporting documentation, especially invoices from suppliers extracted from the ERP software, was analyzed. Invoices related to software licenses of all types (Open, OEM/SB, etc.) were structured, relevant attributes captured (buyer, product, edition, version, hardware reference in the case of OEM licenses etc.) and linked to the internal Document Management System.

We recommend, during Microsoft compliance reviews for our customers, to propose a pragmatic solution to Microsoft and to show the best documentation possible.

 

III.) Compliance and Licensing Strategy

1.) License Demand, Effective License Position

As soon as the required technical data (installations and the associated information and attributes) and commercial data (licenses and SA Software Assurance) was available, we started to calculate the License Demand and the Effective License Position (ELP):

  • License demand – The License Demand is derived from the technical usage and calculated by selecting and applying the relevant metric(s) and restrictions to the technical data;
  • Effective License Position (ELP) – The Effective License Position (ELP) is derived from the assembled licenses and maintenance contracts, i.e. Software Assurance (SA).

We then compiled the data and generated the group compliance balance, i.e. we matched the license demand and the Effective License Position, differentiated by products, editions, versions and metrics (where the metric is chosen from one of several permitted metrics). This shows the compliance and incompliance positions – each single position being a specific product/edition/version/metric. Some simplification is always possible as some editions and versions are covered by downgrade rights.

Ultimately, the compliance balance is the means by which a required settlement or supplementary licenses, and thus the costs of the incompliance, are deduced.

A further differentiation by cost centers has been completed, but only for internal purposes as only the group balance is relevant to Microsoft.

 

SIDE NOTE – Simplified Example Of The Correlation Between The Licensing Metric And The License Demand

The technical usage is calculated by measuring access by devices (device CAL) and access by users (user CAL). Example: A Windows Server is accessed by 15 users using 20 notebooks. Windows CAL demand:  20 x Device CAL or  15 x User CAL. The licensee will have to select one metric – User CAL or Device CAL – and apply it to the usage to determine the technical usage. The optimization should be related to the number of CALs, as the User CAL and Device CAL have the same price.

 

2.) IT Strategy – Licensing Strategy

The IT strategy of our clients often requires that software products are exclusively deployed in virtual environments, and even in clusters. It is already common that most Windows Servers are running in VMware virtualized load-balancing cluster environments, comprised of several physical hosts.

In a virtualization strategy such as this, we recommend to develop a suitable licensing strategy aligned to the demand of the IT strategy. This is especially relevant for Microsoft Windows Server Standard and Enterprise as these editions are licensed with a per server metric (related to physical hosts).

Therefore, in a cluster scenario, the higher the number of connected servers, the higher the multiplication factor of the license demand would be. Even if automatic load-balancing is not in use, the maintenance of the productive environments and the probable manual transfer of instances between physical hosts creates a peak license demand – and therefore a compliance risk.

As the responsibility of IT infrastructure operations is often at CIO level it is common to align the licensing strategy to the IT infrastructure strategy. The peak license demand determined by the current and the future deployments and usages should be the baseline for an optimized licensing strategy.

 

Conclusion And Outlook

A compliance review of Microsoft Server products requires the full commitment of the client’s organization, as licensing depends on technical and commercial data provided by different units – including the IT Department, Application Operations, IT Software Purchasing and IT Hardware Purchasing.

Microsoft licensing expertise is needed to define the relevant data and compile a compliance balance. Microsoft Server products are not always straightforward in their licensing, and some specific aspects, especially in connection with virtualization and dynamic operations, bear complexity.

OMTCO’s Microsoft product and licensing expertise, supplemented by knowledge of IT infrastructure, ensures that compliance reviews are conducted quickly, and the probable incompliance positions are eliminated. Should you wish for advice tailored to your specific needs, please call your OMTCO representative directly or contact OMTCO at: microsoftlicensing@omtco.de.

 

(Released September 2012, Updated March 2013)

 

– CONFIDENTIALITY NOTICE –

OMTCO does not disclose clients’ names, client projects or data. The case study and data published in this report is generic and derived from years of compliance reviews. All analysis presented and information disclosed in this document are exclusively based on public information. Should you wish to learn more about our confidentiality practice or about this case study, please contact an OMTCO representative.


 

Technical Appendix– License Demand of Windows Server Within Clusters

Important note

This appendix applies to the project reported here, and therefore does not apply to the new licensing provisions of Windows Server 2012. As the provisions of Windows Server 2012 include main evolution, we will publish a dedicated analysis of Windows Server 2012 in virtualized/dynamic environments.

Scenarios

In the following text, we will explain the increased compliance risk resulting from the licensing of Windows Servers in three different scenarios. The scenarios differ based on the transferability of instances:

  • Scenario 1 – Instances are not transferred between servers
  • Scenario 2 – Instances are transferred manually between selected servers
  • Scenario 3 – Instances are moved dynamically across the whole server estate

The scenarios are all based on similar physical servers, with 2 CPUs X 1 Core per device – so the main difference between these three scenarios is not the physical infrastructure – rather, how production is maintained on the physical devices.

Upfront Recommendation

We recommend Microsoft customers to be very careful when using VMWare VMotion or Microsoft System Center Virtual Machine Manager (Automated Load Balancing), as the license demand for Standard/Enterprise licenses undergoes a multiplier effect – incompliance may be generated rapidly as you will see below.

However, the break-even point of the situation should be calculated in order to decide whether supplementary Standard/Enterprise licenses – or a completely new set of Datacenter licenses – should be purchased.

 

1.) Scenario 1: Virtualization Cluster With No Transferring Of Instances

Configuration

In this scenario, virtual instances of Windows Server Standard Edition are running in one cluster of four servers, where each server has two CPUs and one Core pro CPU. The instances are allocated statically to the servers; they are not transferred between servers.

License Demand

The resulting license demand of Windows Server Standard is 16 licenses.(or alternatively 4 x Enterprise, or 8 x Datacenter).The license demand in this configuration – with static virtualization – is equivalent to the license demand from server virtualization on dedicated servers.

The results are shown in the following picture:

 

Scenario 1 - Licensing Of Windows Server - Virtualisation Cluster With No Transferring Of Instances

Exhibit 1 – Scenario 1: Configuration And License Demand

 

2.) Scenario 2: Virtualization Cluster With Manual Transferring Of Instances Between Selected Servers

Configuration

In this scenario, instances are transferred between servers, e.g. often for maintenance purposes. In this particular example, four instances from server 4 are transferred, for maintenance purposes, to server 1 (2 instances), server 2 (1 instance) and server 3 (1 instance). This transfer has a direct influence on the license demand, as a license for Windows Server is mandatory before any installation of Windows Server on a physical server.

License Demand

The license demand is 20 Windows Server Standard licenses (or alternatively 7 x Enterprise, or 8 x Datacenter). Note: Should any more instances be transferred to any of the other physical servers, the license demand will be even higher.

The results are shown in the following picture:

 

Scenario 2 - Licensing Of Windows Server - Virtualisation Cluster With Manual Transferring Of Instances Between Selected Servers

Exhibit 2 – Scenario 2: Configuration And License Demand

 

3.) Scenario 3: Virtualization Cluster With Dynamic Transferring Of Instances Across The Whole Server Estate

Configuration

In this scenario, the virtualization has recourse to the transfer of instances for the purpose of load balancing. In this case, any hardware resource (CPU) may be allocated to any instance, dynamically.

License Demand

If the Windows Servers are licensed with Standard or Enterprise licenses, each single server should be licensed for each installation. In the hardware environment described above, active Automated Load Balancing would generate a license demand of 64 Windows Server Standard licenses (or alternatively 16 x Enterprise, or 8 x Datacenter), even though only 16 Windows Servers are installed (load balancing poses a compliance risk).

The results are shown in the following picture:

Scenario 3 - Licensing Of Windows Server - Virtualisation Cluster With Dynamic Transferring Of Instances Across The Whole Server Estate

Exhibit 3 – Scenario 3: Configuration And License Demand

 

– CONFIDENTIALITY NOTICE –

OMTCO does not disclose clients’ names, client projects or data. The case study and data published in this report is generic and derived from years of compliance reviews. All analysis presented and information disclosed in this document are exclusively based on public information. Should you wish to learn more about our confidentiality practice or about this case study, please contact an OMTCO representative.


Compliance Audit Preparation for Microsoft Server Products (Windows, SQL, Exchange)

THE FINDINGS OF THE COMPLIANCE AUDIT PREPARATION FOR MICROSOFT SERVER PRODUCTS DEMONSTRATE THE IMPORTANCE OF UNDERSTANDING THE IMPACT OF VIRTUALIZATION ON INCOMPLIANCE. WHEN YOUR ORGANIZATION CONDUCTS A MICROSOFT COMPLIANCE REVIEW – OR WHEN YOU ARE CONFRONTED BY A VENDOR AUDIT – OMTCO IS BY YOUR SIDE TO PROVIDE YOU WITH LICENSING EXPERTISE, COUNTER-AUDIT EXPERIENCE AND NEGOTIATION SUPPORT.

 

Johannes Balzer - OMTCO - Software Asset Management - Licensing Expertise - Counter Audit
Johannes Balzer
is a consultant
at OMTCO Munich Office.

Contact:
00 49 163 3368736
johannes.balzer@omtco.de
Tim Sommer - OMTCO - Software Asset Management - Licensing Expertise - Counter AuditTim Sommer
is a consultant
at OMTCO Vienna Office.

Contact:
00 43 699 15007391
tim.sommer@omtco.de

 

OMTCO provides its clients with the best, thought-out advisory and line services, ranging from design-stage to implementation in Operations, Management, Technology and Consulting.

OMTCO works with the highest possible level of expertise – taking into account our know-how and our pragmatic experience from market analysis, competitive projects and professional references.

OMTCO has licensing expertise at its disposal, in addition to extensive experience in compliance reviews and customer-sided counter-audits.

Should you wish for advice tailored to your specific needs, raise comments or ask questions, please contact OMTCO at info@omtco.de or call your OMTCO representative directly.

For Microsoft licensing expertise, visit:
http://omtco.eu/references/microsoft/

For Software Asset Management, visit:
http://omtco.eu/references/SAM/

For counter-audit experience, visit:
http://omtco.eu/references/counteraudit/

For further references, visit:
http://www.omtco.eu/references/

 

This document is current as of the initial date of publication and may be changed by OMTCO at any time. Not all offerings are available in every country in which OMTCO operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING NO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. This report is for information and illustration purposes only. It is not an advisory document and does not take into account your specific customer situation. Please refer to the disclaimer published at http://omtco.eu/disclaimer.