Transcript Group A

Sean Deuby
Senior Enterprise Solution Strategist
Advaiya
Kalpesh Patel
Senior Lead Program Manager
Microsoft
Session Code: WSV314
Agenda
Session Goals
Volume Activation Overview
Details
KMS
MAKs
Recommendations
References
Appendix
Session Goals
Explain Volume Activation (VA)
Expose its unique requirements
Show typical scenarios and my
recommendations
Help you understand what you need to do
Because you will need to do something
If you plan to deploy Windows OS volume
versions, you need to understand VA
Setting The Stage for VA*
Denial – “This can't be real”
“Microsoft wouldn't actually implement something like this!”
Anger – “Why me?”
“As if I don’t have enough to do already?!”
Bargaining – “If I do this, you’ll do that”
“Maybe if I just bought all the copies at the local computer store with a
really big shopping cart…”
Depression – “Defeated”
“I REALLY don’t want to go through this”
Acceptance – “This is going to happen”
“Microsoft isn't going to change their policy just for me; guess I'd better
figure it out. At least it's job security!”
* With apologies to Elisabeth Kübler-Ross
What’s KMS? What’s MAK?
In The Beginning: Product Activation
Retail Activation
"Unlocking" the software for use by entering a product key
Standard method for retail (e.g. Vista Home)
OEM Activation
Pre-activation by OEMs (e.g. HP), client need do nothing
Volume License Key (VLK) for Windows XP/Windows
Server 2003
For volume license customers, typically with hundreds or
thousands of systems
Use of a special license key that bypasses product activation
Much more scalable than retail activation
The New Kid: Volume Activation
Volume Activation is a major rework of the original
Previously one VLK was used for multiple systems
Now – systems must "activate" (validate license) with
Microsoft
Aimed specifically at preventing casual copying
For example, lending a genuine disc around
Retail media still requires individual keys
Volume editions use one of two activation methods:
KMS or MAK
KMS and MAK
KMS
Sort of like DHCP
KMS host controls activations
Volume client requests and receives activation
MAK
A Multiple Activation Key (MAK) is like retail but allows
more than one activation
Limit is dependent on agreement type with Microsoft
(Open, Select, EA, etc)
Similar to MSDN Universal keys
Both use "grace periods"
Microsoft’s States of Grace
The Good
Initial Out-Of-Box (OOB) Grace
First 30 days after installation for all VL editions except
Windows Server 2008: 60 days
Reset by running ‘slmgr /rearm’ or ‘sysprep
/generalize’
Licensed
Activated, renewing where required (KMS)
No user notifications – the "normal" state
Microsoft’s States of Grace
The Bad
Out-Of-Tolerance (OOT) Grace (30 days for all VL
editions)
Hardware has changed enough to require re-activation
KMS expiration
Notification state
License has expired
Windows Vista SP1+ and Windows Server 2008+
Black desktop
Hourly "non genuine" notifications
Microsoft’s States of Grace
The Ugly
Unlicensed
License sub-system cannot determine its own state (i.e.
missing / corrupt binaries, data stores, etc)
KMS and MAKs Under the Covers
KMS: Key Management Service
Recommended VA method
KMS uses client / server architecture
KMS host controls activations
Volume client requests and receives activation
Host operating system
Windows Vista, Windows 7, Windows Server 2008,
Windows Server 2008 R2
Windows 2003 SP1 +: http://microsoft.com/downloads
X86 or x64
Can run on a virtual machine
KMS and Its Clients
By default, volume editions need a KMS
environment to function normally
Without KMS they will expire, go into
notification state, and notify the user
Creating a KMS Host
Obtain KMS key from volume licensing portal
Install the KMS host’s OS
Install the KMS key
SLMGR.VBS /ipk <key>
Requires elevated privileges
Activate the KMS host with Microsoft
Online activation (i.e. Internet)
SLMGR.VBS /ato
Telephone activation
SLUI.EXE 4
Follow on-screen instructions
Each KMS key can create max of 6 different KMS hosts
Exceptions managed through the Activation Call Center
Locating A KMS Host
Direct connection
Forces client to look only at FQDN or IP of KMS host
KMS host & port added to registry
SLMGR.VBS /skms <KMS_FQDN or IP>[:<port>]
Auto-discovery
Client uses DNS to locate a KMS host by looking up service
(SRV) resource records, published by the host
KMS publishes new DNS SRV record to its DNS zone:
_VLMCS._TCP (_service._protocol)
Any DNS that supports SRV records and dynamic
update will accept this
KMS Client Auto-Discovery
AD / DNS
1. Client queries DNS
for _VLMCS SRV
entries
2. DNS returns
all KMS hosts
that match
0. KMS registers
SRV record
3. Client selects a KMS from
DNS list and sends an
anonymous
4. KMS returns
current count RPC "request"
client self-activates if count >=
required value
KMS Client
KMS Host
KMS Auto-Discovery Facts
KMS host doesn’t automatically publish SRV records to any
other DNS zones in the forest
I.e. other child domains
You can tell KMS to manually publish records to other DNS
domains / zones
HKLM\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\SL\DnsDomainPublishList
REG_MULTI_SZ
Enter each domain on separate lines
KMS host requires rights in the target DNS zone to write SRV
records
Target zone must also be able to resolve KMS host name
If DNS server in zone containing KMS is not configured as forwarder for
the target zone, must add A and AAAA (IPv6) records
KMS Auto-Discovery Facts
Workgroup clients use primary DNS suffix or
DNS domain issued by DHCP (option 15)
Active Directory clients use primary DNS suffix
or AD DNS domain name
Enhancements to KMS Discovery
Windows 7 and Windows Server 2008 R2
Client searches for KMS host in DNS suffix list
Admin can advertise an SRV entry for KMS in one
DNS zone
Most clients have DNS suffix search list
redmond.corp.microsoft.com
corp.microsoft.com
microsoft.com
Enhancement allows KMS clients with other
primary DNS servers to find KMS host by walking
their suffix list
Multi-domain forests require only 1 KMS entry
Enhancements to KMS Discovery
Windows 7 and Windows Server 2008 R2
DNS SRV weight & priority
Client will select KMS host based on SRV record priority and
weight
Orders the list of KMS hosts DNS returns
Windows Server 2008, Windows Vista do not use
KMS clients choose a random KMS host from the list returned by
DNS
Windows Server 2008 R2, Windows 7 support this
But you probably don’t need it
Disable KMS host caching (slmgr /ckhc)
Forces client to use KMS host returned by DNS query
KMS Key Groups
KMS can only support one key at a time
How can one key support different products?
Key groups
A hierarchy of licensing keys that can activate all
products below them
Server Group C
Server Group B
Server Group A
Client VL
Product Key Groups
Group C
Windows Server 2008 Datacenter
Windows Server 2008 for Itanium
+ Group B editions
Group C
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 for Itanium
+ Group B & previous editions
Group B
Windows Server 2008 Enterprise
Windows Server 2008 Standard
+ Group A editions
Group B
Windows Server 2008 Enterprise R2
Windows Server 2008 Standard R2
+ Group A & previous editions
Group A
Windows Web Server 2008
Windows HPC Server 2008
+Client VL editions
Group A
Windows Web Server 2008 R2
Windows Server 2008 R2 HPC
+ Client and previous editions
Client VL
Windows Vista Enterprise
Windows Vista Business
Client VL
Windows 7 Enterprise
Windows 7 Professional
+ previous editions
KMS Activation Validity Interval
Upon initial startup, client has initial grace
period
Attempts to contact KMS host every 2 hours by
default
After activation, license period is set to 180 days
(6 months)
Client contacts KMS every 7 days by default to
renew its activation
Successful – activation validity interval reset to 180
Failure – Client retries another KMS immediately
KMS Infrastructure Service
Requirements
Minimal network data (~500/bytes roundtrip)
Involves crypto operations (CPU)
Client KMS request TTL: 15 seconds
Not time critical for clients
Grace periods (Initial and OOT)
360 attempts (every 2 hours for 30 days)
Silent Renewal
Every 7 days for 180 days = 26+ attempts
Notifications
User has access to all features
User is warned as expiration date approaches
Microsoft tested KMS on one DC, with one backup
Windows Server 2008 R2 RC KMS host is a virtual machine
KMS Activation Count
Unlike MAK clients, KMS clients require regular
reactivation
A KMS will hand out an unlimited # of licenses, but…
A KMS will not begin activating clients until multiple
unique clients contact it (activation count)
Windows Vista / Windows 7 clients: 25
Windows 2008 / Windows Server 2008 R2 clients: 5
Count is ‘aged’ from KMS host after 30 days
With SP2 or Windows Server 2008 R2 or Windows 7,
count can be a mix of physical and virtual
Customers deploying Windows Server 2008 as VMs only
KMS Facts
Good things about KMS
Clients don’t need internet or telephone access
Nothing to back up or restore on a KMS host
Just rebuild and reinstall KMS key
Very scalable – a lightweight service
Coexists well with other server roles
Scalability is rarely the reason for more than 1
or 2 KMS servers
Complicated environments, and politics, are
KMS Monitoring with SCOM 2007
KMS SCOM 2007 management pack
Supported platforms
Windows 2003
Windows Vista
Windows 2008
Report information in appendix
www.microsoft.com/downloads
MAK: Multiple Activation Key
Activation key with multiple activations
Unique per Product Group
Number of activations based on license
agreement
If exposed, you can request Microsoft to close it
down and issue a new one
Every MAK activation must touch Microsoft to
complete successfully
MAK Facts
Client only has to be activated once
To activate, MAK client must have direct or
(anonymous) proxy internet access
Else you must activate by phone
MAK activation can be added to an unattended
installation or included in master image (preferred)
Remaining # of MAK activations can be viewed
Online: Microsoft Volume License Service Center (VLSC),
eOpen, or MSDN
VAMT (Options -> Manage MAK Keys)
MAK Facts
Should not be your primary activation method
KMS is preferred method
Use MAKs where you can’t use KMS
Sufficient hardware changes will require
reactivation
MAK activation count decremented
Each cloned or ghosted system must be
activated separately
MAKs can be shut down (for example if leaked)
by calling the Microsoft Activation Call Center
MAK Activation Types
Direct activation
Client activates directly with Microsoft
Internet
Phone
Proxy activation
For scenarios where clients do not have Internet
access, and scale makes POTS* impractical
An intermediary (proxy) does the activation for the
client
Intermediary uses the Volume Activation Management
Tool (VAMT)
* Plain Old Telephone System
VA Utilities
Volume Activation Management Tool (VAMT)
Utility to automate and manage volume activation
on multiple clients (where necessary)
MAK Independent Activation
Installs MAKs and allows them to activate
MAK Proxy Activation
Installs MAKs to clients without Internet access, and activates
for them
KMS Activation
Installs & activates default VL keys
Version 1.1 available from Microsoft downloads
Version 1.2 (in WAIK) adds Windows 7 and
Windows Server 2008 R2 support
Monitoring KMS and MAK Usage
Volume Licensing Service Center
View KMS key information
View remaining MAK activations
http://go.microsoft.com/fwlink/?LinkId=107544
Monitor computer’s license conditions with
SMS 2003 SP3
System Center Configuration Manager 2007
Event Viewer on KMS hosts and clients
What to do with all this
Configuration Analysis
What do your networks look like?
Production network
Corporate forest and secondary trusted forests
Untrusted forests (development, mfg, etc.)
Workgroups
Secure networks with authorized firewall access
to production network
"Secure zone"
Assumption: no internet access
Configuration Analysis
Isolated networks
25+ clients
< 25 clients
Disconnected clients
Demo notebook for salesperson
No e-mail, etc. that would require regular
corporate network connections
Configuration Recommendations
Principles
KEEP IT SIMPLE!
Just because you can do lots of configuration
doesn’t mean you should
For example, using Vista as a KMS host
Use KMS as much as possible, and minimize the
number of KMS hosts
If you run out of activations (i.e. 6 servers),
Microsoft has an exception process to get more
Configuration Recommendations
Principles
Use MAKs only where you can't use KMS
You’ll probably need to design a solution to
cover several scenarios
KMS port (1688 by default) should never be
exposed outside the company
Access to a KMS host is the same as
handing out free volume licenses
Configuration Recommendations
Easy scenarios
Corporate forest and secondary trusting forests
KMS with DNS auto-discovery
Other zones
Assumes central or strong IT
Microsoft IT scenario
Firewalled environments (e.g. labs) that can
open port 1688
KMS
Auto-discovery vs. direct connection depends on
lab DNS configuration
Configuration Recommendations
Moderate scenarios
Untrusted forests (e.g. dev or test forests)
KMS
But KMS SRV, A, & perhaps AAAA records may need to be
registered and maintained in each DNS zone the untrusted
forest uses
Workgroups
KMS
DHCP clients probably use the corporate DNS
Static clients – no predicting
KMS SRV, A, & perhaps AAAA records may need to be
registered and maintained in that non-standard DNS zone
Configuration Recommendations
Moderate scenarios
ISV test labs: Systems constantly rebuilt to test
customer scenarios
Simply don't activate if builds aren’t permanent
OOB grace period can be reset 3 times
Slmgr.vbs -rearm
= 120* days for all VL editions
If builds really will expire, reuse CID from the first
MAK proxy activation
*240 days for Windows 2008
Configuration Recommendations
Complicated scenarios
Locked down firewalled environments without
any external access
MAK proxy activation
A time consuming, but hopefully infrequent task
If no MAKs, and clients > 25, then internal KMS
hosts
Delegating the KMS key to more admins increases the
risk of it being compromised
Admin must activate KMS itself by phone call
MAK - Activate with phone call
Not scalable
Configuration Recommendations
A simple solution
Use a standard client build?
Create a DNS CNAME record
kms.yourcompany.com
Round-robin a couple of KMS hosts behind it
Configure your build for direct connection
Slmgr.vbs –skms kms.yourcompany.com
All clients will simply go there, all the time
Bypasses auto-discovery complications
Configuration Principles (Again)
KEEP IT SIMPLE!
Just because you can do lots of configuration doesn’t mean you should
Use KMS as much as possible, and minimize the number of hosts
Corporate IT KMS for all, if politically possible
Use MAKs where you can't use KMS
You’ll probably need to design a solution to cover several
scenarios
KMS port (1688 by default) should never be exposed outside the
company
Access to a KMS host is the same as handing out free volume licenses
Summary
Volume Activation is here to stay
You must use it for all Microsoft new and future
operating systems
The details can be confusing
Follow these design principles and you’ll be in
good shape
[email protected]
[email protected]
VA Utilities
SLMGR.VBS
Main software licensing configuration tool
Most common switches
-ipk
Install product key
-ato Activate
-dli
Display license information
-xpr Expiration date for current license state
-skms Direct connection (vs. auto-discovery)
-rearm Reset OOB grace period (max 3 but 5 for
Windows Vista Enterprise)
In \system32 directory
VA Utilities
SLUI.EXE
The "kitchen sink" utility of Volume Activation
Most common switches
1: Display activation status
2: Attempts activation
3: Change product key
4: Display list of telephone numbers for activation
0x02a 0x<error code>
Diagnose 0x8007267C error in event 12293
SLUI 0x02a 0x8007267C
Error codes also in the VA Operations Guide
MOM KMS Reports
Report
Description
Activation Count
Summary
Shows the number of KMS Activations for each Windows edition, for several historical time
ranges.
KMS Activity
History
Graphically displays:
•Daily new KMS activations for each Windows edition.
•Daily KMS request activity, which includes both activations and renewals, for each
Windows edition.
Licensing Status
Summary
Shows the days remaining before expiration, for machines that have connected to a KMS,
for each License state.
Machine
Expiration Chart
Graphically displays the number of machines that are in Initial, OOT/Exp or non-Genuine
Grace, whose users could be locked out (Unlicensed) in the next 30 days.
Machine
Expiration Detail
Lists machines that are in Initial, OOT/Exp or non-Genuine Grace, whose users could be
locked out (Unlicensed) in the next 7 days.
Virtual Machine
Summary
Breaks out the cumulative number of virtual and physical machines that were activated via
KMS within the past 14 days, for each Windows edition.
KMS: Key Management Service
Service
Same on KMS host and KMS client
Windows Server 2008, Vista: SLSVC.EXE / "Software
Licensing"
Windows Server 2008 R2, Windows 7: SPPSVC.EXE
/ "Software Protection"
KMS Facts
VL editions are by default KMS clients
If you have auto-discovery configured, client
doesn’t need to do anything
A KMS doesn’t pay attention to license tracking
Remembers up to last 50 activations just for service
tracking
KMS also don’t pay attention to each other
Each KMS host can activate an unlimited number of
clients
KMS Facts
Up to 6 KMS hosts can be activated with one KMS key
Each KMS can be re-activated up to 10 times
KMS communicates with clients on TCP port 1688
KMS clients in labs need 1688 allowed on firewall for TCP
inbound / outbound
Unlike MAKs, KMS clients don’t touch Microsoft
The KMS host did that for them
A Vista KMS host will not support Windows 2008 KMS
clients
Not a good idea anyway
VAMT Proxy Activation
Isolated lab network
WMI firewall & network discovery exceptions must be enabled
on all clients
Admin installs VAMT on computer inside network
VAMT discovers clients
From AD (LDAP) if a domain is present
Through network discovery (NetServerEnum()) API if a workgroup
VAMT collects status from the discovered computers
Admin installs a MAK on VAMT
Admin uses VAMT to apply MAK to clients
Admin collects CIL (Computer Information List) from selected
computers
VAMT Proxy Activation
Isolated lab network
Admin exports CIL to removable media (e.g. USB key)
Can exclude sensitive environment data
Admin imports CIL into VAMT system with internet access
VAMT performs a MAK Proxy Activation, obtains Confirmation
IDs (CIDs) for clients in the list
Admin brings key back to lab, imports the CIL into VAMT
VAMT completes proxy activation by applying CIDs to clients
Note: This CIL can be re-used – thus not using more MAKs – if
systems are re-imaged on the same hardware
Resources
Windows 7 Deployment Client – TLC
Tue 5/12/2009 & Wed 5/13/2009
Volume Activation home
http://technet.microsoft.com/volumeactivation
Vista Volume Activation Technical Guidance
http://tinyurl.com/2tk8hs
KMS on Windows Server 2003 SP1
http://tinyurl.com/3cwyqu
Volume Activation Management Tool (VAMT)
http://tinyurl.com/2qwkwo
Windows Server Resources
Make sure you pick up your
copy of Windows Server 2008
R2 RC from the Materials
Distribution Counter
Learn More about Windows Server 2008 R2:
www.microsoft.com/WindowsServer2008R2
Technical Learning Center (Orange Section):
Highlighting Windows Server 2008 and R2 technologies
• Over 15 booths and experts from Microsoft and our partners
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.