Kalpesh Patel Senior Lead Program Manager Microsoft Session Code WSV314 Sean Deuby Senior Enterprise Solution Strategist Advaiya Agenda Session Goals Volume Activation Overview Details ID: 381044
Download Presentation The PPT/PDF document "Licensing Your Windows Server 2008 and W..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Licensing Your Windows Server 2008 and Windows Vista Deployments
Kalpesh PatelSenior Lead Program ManagerMicrosoftSession Code: WSV314
Sean Deuby
Senior Enterprise Solution Strategist
Advaiya
Slide3
Agenda
Session GoalsVolume Activation OverviewDetailsKMSMAKsRecommendationsReferencesAppendixSlide4
Session Goals
Explain Volume Activation (VA) Expose its unique requirementsShow typical scenarios and my recommendationsHelp you understand what you need to doBecause you will need to do somethingIf you plan to deploy Windows OS volume versions, you need to understand VASlide5
Setting The Stage for VA*
Denial – “This can't be real”“Microsoft wouldn't actually implement something like this!” Anger – “Why me?”“As if I don’t have enough to do already?!” Bargaining – “If I do this, you’ll do that”“Maybe if I just bought all the copies at the local computer store with a really big shopping cart…”
Depression – “Defeated”
“I REALLY don’t want to go through this”
Acceptance – “This is going to happen”
“Microsoft isn't going to change their policy just for me; guess I'd better figure it out. At least it's job security!”
* With apologies to Elisabeth
Kübler
-RossSlide6
What’s KMS? What’s MAK?
VA OverviewSlide7
In The Beginning: Product Activation
Retail Activation"Unlocking" the software for use by entering a product keyStandard method for retail (e.g. Vista Home) OEM ActivationPre-activation by OEMs (e.g. HP), client need do nothingVolume License Key (VLK) for Windows XP/Windows Server 2003
For volume license customers, typically with hundreds or thousands of systems
Use of a special license key that bypasses product activation
Much more scalable than retail activationSlide8
The New Kid: Volume Activation
Volume Activation is a major rework of the originalPreviously one VLK was used for multiple systemsNow – systems must "activate" (validate license) with MicrosoftAimed specifically at preventing casual copyingFor example, lending a genuine disc aroundRetail media still requires individual keys
Volume editions use one of two activation methods: KMS or MAKSlide9
KMS and MAK
KMSSort of like DHCPKMS host controls activationsVolume client requests and receives activationMAKA Multiple Activation Key (MAK) is like retail but allows more than one activation
Limit is dependent on agreement type with Microsoft (Open, Select, EA, etc)
Similar to MSDN Universal keys
Both use "grace periods"Slide10
Microsoft’s States of Grace
The GoodInitial Out-Of-Box (OOB) GraceFirst 30 days after installation for all VL editions exceptWindows Server 2008: 60 daysReset by running ‘slmgr
/rearm
’ or ‘
sysprep
/generalize
’
Licensed
Activated, renewing where required (KMS)
No user notifications – the "normal" stateSlide11
Microsoft’s States of Grace
The BadOut-Of-Tolerance (OOT) Grace (30 days for all VL editions)Hardware has changed enough to require re-activationKMS expirationNotification stateLicense has expiredWindows Vista SP1+ and Windows Server 2008+
Black desktop
Hourly "non genuine" notificationsSlide12
Microsoft’s States of Grace
The UglyUnlicensedLicense sub-system cannot determine its own state (i.e. missing / corrupt binaries, data stores, etc)Slide13
KMS and MAKs Under the Covers
VA DetailsSlide14
KMS: Key Management Service
Recommended VA methodKMS uses client / server architectureKMS host controls activationsVolume client requests and receives activationHost operating systemWindows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2
Windows 2003 SP1 +:
http://microsoft.com/downloads
X86 or x64
Can run on a virtual machineSlide15
KMS and Its Clients
By default, volume editions need a KMS environment to function normallyWithout KMS they will expire, go into notification state, and notify the userSlide16
Creating a KMS Host
Obtain KMS key from volume licensing portalInstall the KMS host’s OSInstall the KMS keySLMGR.VBS /ipk
<key>
Requires elevated privileges
Activate the KMS host with Microsoft
Online activation (i.e. Internet)
SLMGR.VBS /
ato
Telephone activation
SLUI.EXE 4
Follow on-screen instructions
Each KMS key can create max of 6 different KMS hosts
Exceptions managed through the Activation Call CenterSlide17
Locating A KMS Host
Direct connectionForces client to look only at FQDN or IP of KMS hostKMS host & port added to registrySLMGR.VBS /skms <KMS_FQDN or IP>[:<port>]Auto-discoveryClient uses DNS to locate a KMS host by looking up service (SRV) resource records, published by the host
KMS publishes new DNS SRV record to its DNS zone:
_VLMCS._TCP (_service._protocol)
Any DNS that supports SRV records and dynamic update will accept thisSlide18
KMS Client Auto-Discovery
0. KMS registers
SRV record
KMS Host
AD / DNS
KMS Client
2. DNS returns
all KMS hosts
that match
1. Client queries DNS
for
_VLMCS
SRV
entries
3. Client selects a KMS from DNS list and sends an anonymous
RPC "request"
4. KMS returns current count - client self-activates if count >= required valueSlide19
KMS Auto-Discovery Facts
KMS host doesn’t automatically publish SRV records to any other DNS zones in the forestI.e. other child domainsYou can tell KMS to manually publish records to other DNS domains / zonesHKLM\SOFTWARE\Microsoft\Windows NT
\
CurrentVersion
\SL\
DnsDomainPublishList
REG_MULTI_SZ
Enter each domain on separate lines
KMS host requires rights in the target DNS zone to write SRV records
Target zone must also be able to resolve KMS host name
If DNS server in zone containing KMS is not configured as forwarder for the target zone, must add A and AAAA (IPv6) recordsSlide20
KMS Auto-Discovery Facts
Workgroup clients use primary DNS suffix or DNS domain issued by DHCP (option 15)Active Directory clients use primary DNS suffix or AD DNS domain nameSlide21
Enhancements to KMS Discovery
Windows 7 and Windows Server 2008 R2Client searches for KMS host in DNS suffix listAdmin can advertise an SRV entry for KMS in one DNS zoneMost clients have DNS suffix search listredmond.corp.microsoft.com
corp.microsoft.com
microsoft.com
Enhancement allows KMS clients with other primary DNS servers to find KMS host by walking their suffix list
Multi-domain forests require only 1 KMS entrySlide22
Enhancements to KMS Discovery
Windows 7 and Windows Server 2008 R2DNS SRV weight & priorityClient will select KMS host based on SRV record priority and weightOrders the list of KMS hosts DNS returns
Windows Server 2008, Windows Vista do not use
KMS clients choose a random KMS host from the list returned by DNS
Windows Server 2008 R2, Windows 7 support this
But you probably don’t need it
Disable KMS host caching (
slmgr
/
ckhc
)
Forces client to use KMS host returned by DNS querySlide23
KMS Key Groups
KMS can only support one key at a timeHow can one key support different products?Key groupsA hierarchy of licensing keys that can activate all products below themServer Group CServer Group BServer Group AClient VLSlide24
Product Key Groups
Group A
Windows Web Server 2008
Windows HPC Server 2008
+Client VL editions
Client VL
Windows 7 Enterprise
Windows 7 Professional
+ previous editions
Client VL
Windows Vista Enterprise
Windows Vista Business
Group B
Windows Server 2008 Enterprise
Windows Server 2008 Standard
+ Group A editions
Group C
Windows Server 2008 Datacenter
Windows Server 2008 for Itanium
+ Group B editions
Group A
Windows Web Server 2008 R2
Windows Server 2008 R2 HPC
+ Client and previous editions
Group B
Windows Server 2008 Enterprise R2
Windows Server 2008 Standard R2
+ Group A & previous editions
Group C
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 for Itanium
+ Group B & previous editionsSlide25
KMS Activation Validity Interval
Upon initial startup, client has initial grace periodAttempts to contact KMS host every 2 hours by defaultAfter activation, license period is set to 180 days (6 months)Client contacts KMS every 7 days by default to renew its activationSuccessful – activation validity interval reset to 180Failure – Client retries another KMS immediatelySlide26
KMS Infrastructure Service
Requirements Minimal network data (~500/bytes roundtrip)Involves crypto operations (CPU)Client KMS request TTL: 15 seconds
Not time critical for clients
Grace periods (Initial and OOT)
360 attempts (every 2 hours for 30 days)
Silent Renewal
Every 7 days for 180 days = 26+ attempts
Notifications
User has access to all features
User is warned as expiration date approaches
Microsoft tested KMS on one DC, with one backup
Windows Server 2008 R2 RC KMS host is a virtual machineSlide27
KMS Activation Count
Unlike MAK clients, KMS clients require regular reactivationA KMS will hand out an unlimited # of licenses, but…A KMS will not begin activating clients until multiple unique clients contact it (activation count)Windows Vista / Windows 7 clients: 25Windows 2008 / Windows Server 2008 R2 clients: 5
Count is ‘aged’ from KMS host after 30 days
With SP2 or Windows Server 2008 R2 or Windows 7, count can be a mix of physical and virtual
Customers deploying Windows Server 2008 as VMs onlySlide28
KMS Facts
Good things about KMSClients don’t need internet or telephone accessNothing to back up or restore on a KMS hostJust rebuild and reinstall KMS keyVery scalable – a lightweight service
Coexists well with other server roles
Scalability is rarely the reason for more than 1 or 2 KMS servers
Complicated environments, and politics, areSlide29
KMS Monitoring with SCOM 2007
KMS SCOM 2007 management packSupported platformsWindows 2003Windows VistaWindows 2008Report information in appendixwww.microsoft.com/downloadsSlide30
MAK: Multiple Activation Key
Activation key with multiple activationsUnique per Product GroupNumber of activations based on license agreementIf exposed, you can request Microsoft to close it down and issue a new oneEvery MAK activation must touch Microsoft to complete successfullySlide31
MAK Facts
Client only has to be activated onceTo activate, MAK client must have direct or (anonymous) proxy internet accessElse you must activate by phoneMAK activation can be added to an unattended installation or included in master image (preferred)Remaining # of MAK activations can be viewedOnline: Microsoft Volume License Service Center (VLSC),
eOpen
, or MSDN
VAMT (Options -> Manage MAK Keys)Slide32
MAK Facts
Should not be your primary activation methodKMS is preferred methodUse MAKs where you can’t use KMSSufficient hardware changes will require reactivationMAK activation count decrementedEach cloned or ghosted system must be activated separatelyMAKs can be shut down (for example if leaked) by calling the Microsoft Activation Call CenterSlide33
MAK Activation Types
Direct activationClient activates directly with Microsoft InternetPhone
Proxy activation
For scenarios where clients do not have Internet access, and scale makes POTS* impractical
An intermediary (proxy) does the activation for the client
Intermediary uses the Volume Activation Management Tool (VAMT)
* Plain Old Telephone SystemSlide34
VA Utilities
Volume Activation Management Tool (VAMT)
Utility to automate and manage volume activation on multiple clients (where necessary)
MAK Independent Activation
Installs MAKs and allows them to activate
MAK Proxy Activation
Installs MAKs to clients without Internet access, and activates for them
KMS Activation
Installs & activates default VL keys
Version 1.1 available from Microsoft downloads
Version 1.2 (in WAIK) adds Windows 7 and Windows Server 2008 R2 supportSlide35
Monitoring KMS and MAK Usage
Volume Licensing Service CenterView KMS key informationView remaining MAK activationshttp://go.microsoft.com/fwlink/?LinkId=107544
Monitor computer’s license conditions with
SMS 2003 SP3
System Center Configuration Manager 2007
Event Viewer on KMS hosts and clientsSlide36
What to do with all this
recommendationsSlide37
Configuration Analysis
What do your networks look like?Production networkCorporate forest and secondary trusted forestsUntrusted forests (development, mfg, etc.)
Workgroups
Secure networks with authorized firewall access to production network
"Secure zone"
Assumption: no internet accessSlide38
Configuration Analysis
Isolated networks25+ clients< 25 clientsDisconnected clientsDemo notebook for salesperson No e-mail, etc. that would require regular corporate network connectionsSlide39
Configuration Recommendations
PrinciplesKEEP IT SIMPLE!Just because you can do lots of configuration doesn’t mean you shouldFor example, using Vista as a KMS hostUse KMS as much as possible, and minimize the number of KMS hosts
If you run out of activations (i.e. 6 servers), Microsoft has an exception process to get moreSlide40
Configuration Recommendations
PrinciplesUse MAKs only where you can't use KMSYou’ll probably need to design a solution to cover several scenariosKMS port (1688 by default) should never be exposed outside the companyAccess to a KMS host is the same as
handing out free volume licensesSlide41
Configuration Recommendations
Easy scenariosCorporate forest and secondary trusting forestsKMS with DNS auto-discoveryOther zones
Assumes central or strong IT
Microsoft IT scenario
Firewalled environments (e.g. labs) that can open port 1688
KMS
Auto-discovery vs. direct connection depends on lab DNS configurationSlide42
Configuration Recommendations
Moderate scenariosUntrusted forests (e.g. dev or test forests)KMSBut KMS SRV, A, & perhaps AAAA records may need to be registered and maintained in each DNS zone the
untrusted
forest uses
Workgroups
KMS
DHCP clients probably use the corporate DNS
Static clients – no predicting
KMS SRV, A, & perhaps AAAA records may need to be registered and maintained in that non-standard DNS zoneSlide43
Configuration Recommendations
Moderate scenariosISV test labs: Systems constantly rebuilt to test customer scenariosSimply don't activate if builds aren’t permanentOOB grace period can be reset 3 times
Slmgr.vbs -rearm
= 120* days for all VL editions
If builds really will expire, reuse CID from the first MAK proxy activation
*240 days for Windows 2008Slide44
Configuration Recommendations
Complicated scenariosLocked down firewalled environments without any external accessMAK proxy activationA time consuming, but hopefully infrequent taskIf no MAKs, and clients > 25, then internal KMS hosts
Delegating the KMS key to more admins increases the risk of it being compromised
Admin must activate KMS itself by phone call
MAK - Activate with phone call
Not scalableSlide45
Configuration Recommendations
A simple solutionUse a standard client build?Create a DNS CNAME recordkms.yourcompany.comRound-robin a couple of KMS hosts behind it
Configure your build for direct connection
Slmgr.vbs –
skms
kms.yourcompany.com
All clients will simply go there, all the time
Bypasses auto-discovery complicationsSlide46
Configuration Principles (Again)
KEEP IT SIMPLE!Just because you can do lots of configuration doesn’t mean you shouldUse KMS as much as possible, and minimize the number of hostsCorporate IT KMS for all, if politically possibleUse MAKs where you can't use KMSYou’ll probably need to design a solution to cover several scenarios
KMS port (1688 by default) should never be exposed outside the company
Access to a KMS host is the same as handing out free volume licensesSlide47
Summary
Volume Activation is here to stayYou must use it for all Microsoft new and future operating systemsThe details can be confusingFollow these design principles and you’ll be in good shapeSlide48
Kalpesh.Patel@microsoft.com
Sean.Deuby@advaiya.comquestion & answerSlide49
appendixSlide50
VA Utilities
SLMGR.VBSMain software licensing configuration toolMost common switches-ipk Install product key-ato Activate-dli Display license information
-xpr Expiration date for current license state
-skms Direct connection (vs. auto-discovery)
-rearm Reset OOB grace period (max 3 but 5 for Windows Vista Enterprise)
In \system32 directorySlide51
VA Utilities
SLUI.EXEThe "kitchen sink" utility of Volume ActivationMost common switches1: Display activation status2: Attempts activation
3: Change product key
4: Display list of telephone numbers for activation
0x02a 0x<error code>
Diagnose 0x8007267C error in event 12293
SLUI 0x02a 0x8007267C
Error codes also in the VA Operations GuideSlide52
MOM KMS Reports
Report
Description
Activation Count Summary
Shows the number of KMS Activations for each Windows edition, for several historical time ranges.
KMS Activity History
Graphically displays:
Daily new KMS activations for each Windows edition.
Daily KMS request activity, which includes both activations and renewals, for each Windows edition.
Licensing Status Summary
Shows the days remaining before expiration, for machines that have connected to a KMS, for each License state.
Machine Expiration Chart
Graphically displays the number of machines that are in Initial, OOT/Exp or non-Genuine Grace, whose users could be locked out (Unlicensed) in the next 30 days.
Machine Expiration Detail
Lists machines that are in Initial, OOT/Exp or non-Genuine Grace, whose users could be locked out (Unlicensed) in the next 7 days.
Virtual Machine Summary
Breaks out the cumulative number of virtual and physical machines that were activated via KMS within the past 14 days, for each Windows edition.Slide53
KMS: Key Management Service
ServiceSame on KMS host and KMS clientWindows Server 2008, Vista: SLSVC.EXE / "Software Licensing"Windows Server 2008 R2, Windows 7: SPPSVC.EXE / "Software Protection"Slide54
KMS Facts
VL editions are by default KMS clientsIf you have auto-discovery configured, client doesn’t need to do anythingA KMS doesn’t pay attention to license trackingRemembers up to last 50 activations just for service trackingKMS also don’t pay attention to each otherEach KMS host can activate an unlimited number of clientsSlide55
KMS Facts
Up to 6 KMS hosts can be activated with one KMS keyEach KMS can be re-activated up to 10 timesKMS communicates with clients on TCP port 1688KMS clients in labs need 1688 allowed on firewall for TCP inbound / outboundUnlike MAKs, KMS clients don’t touch MicrosoftThe KMS host did that for them
A Vista KMS host will not support Windows 2008 KMS clients
Not a good idea anywaySlide56
VAMT Proxy Activation
Isolated lab networkWMI firewall & network discovery exceptions must be enabled on all clientsAdmin installs VAMT on computer inside networkVAMT discovers clientsFrom AD (LDAP) if a domain is present
Through network discovery (NetServerEnum()) API if a workgroup
VAMT collects status from the discovered computers
Admin installs a MAK on VAMT
Admin uses VAMT to apply MAK to clients
Admin collects CIL (Computer Information List) from selected computersSlide57
VAMT Proxy Activation
Isolated lab networkAdmin exports CIL to removable media (e.g. USB key)Can exclude sensitive environment dataAdmin imports CIL into VAMT system with internet access
VAMT performs a MAK Proxy Activation, obtains Confirmation IDs (CIDs) for clients in the list
Admin brings key back to lab, imports the CIL into VAMT
VAMT completes proxy activation by applying CIDs to clients
Note: This CIL can be re-used – thus not using more MAKs – if systems are re-imaged on the same hardwareSlide58
Resources
Volume Activation homehttp://technet.microsoft.com/volumeactivation Vista Volume Activation Technical Guidance
http://tinyurl.com/2tk8hs
KMS on Windows Server 2003 SP1
http://tinyurl.com/3cwyqu
Volume Activation Management Tool (VAMT)
http://tinyurl.com/2qwkwo
Windows 7 Deployment Client – TLC
Tue 5/12/2009 & Wed 5/13/2009Slide59
Windows Server Resources
Make sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution CounterLearn More about Windows Server 2008 R2:
www.microsoft.com/WindowsServer2008R2
Technical Learning Center (Orange Section):
Highlighting Windows Server 2008 and R2 technologies
Over 15 booths and experts from Microsoft and our partnersSlide60
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training
R
esources
www.microsoft.com/learning
Microsoft Certification & Training Resources
ResourcesSlide61
Complete an evaluation on
CommNet
and enter to win!Slide62
©
2009 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.