620 likes | 761 Views
Licensing Your Windows Server 2008 and Windows Vista Deployments. Kalpesh Patel Senior Lead Program Manager Microsoft Session Code: WSV314. Sean Deuby Senior Enterprise Solution Strategist Advaiya. Agenda. Session Goals Volume Activation Overview Details KMS MAKs Recommendations
E N D
Licensing Your Windows Server 2008 and Windows Vista Deployments Kalpesh Patel Senior Lead Program Manager Microsoft Session Code: WSV314 • Sean Deuby • Senior Enterprise Solution Strategist • Advaiya
Agenda • Session Goals • Volume Activation Overview • Details • KMS • MAKs • Recommendations • References • Appendix
Session Goals • Explain Volume Activation (VA) • Expose its unique requirements • Show typical scenarios and my recommendations • Help you understand what you need to do • Because you will need to do something • If you plan to deploy Windows OS volume versions, you need to understand VA
Setting The Stage for VA* • Denial – “This can't be real” • “Microsoft wouldn't actually implement something like this!” • Anger – “Why me?” • “As if I don’t have enough to do already?!” • Bargaining – “If I do this, you’ll do that” • “Maybe if I just bought all the copies at the local computer store with a really big shopping cart…” • Depression – “Defeated” • “I REALLY don’t want to go through this” • Acceptance – “This is going to happen” • “Microsoft isn't going to change their policy just for me; guess I'd better figure it out. At least it's job security!” * With apologies to Elisabeth Kübler-Ross
VA Overview What’s KMS? What’s MAK?
In The Beginning: Product Activation • Retail Activation • "Unlocking" the software for use by entering a product key • Standard method for retail (e.g. Vista Home) • OEM Activation • Pre-activation by OEMs (e.g. HP), client need do nothing • Volume License Key (VLK) for Windows XP/Windows Server 2003 • For volume license customers, typically with hundreds or thousands of systems • Use of a special license key that bypasses product activation • Much more scalable than retail activation
The New Kid: Volume Activation • Volume Activation is a major rework of the original • Previously one VLK was used for multiple systems • Now – systems must "activate" (validate license) with Microsoft • Aimed specifically at preventing casual copying • For example, lending a genuine disc around • Retail media still requires individual keys • Volume editions use one of two activation methods: KMS or MAK
KMS and MAK • KMS • Sort of like DHCP • KMS host controls activations • Volume client requests and receives activation • MAK • A Multiple Activation Key (MAK) is like retail but allows more than one activation • Limit is dependent on agreement type with Microsoft (Open, Select, EA, etc) • Similar to MSDN Universal keys • Both use "grace periods"
Microsoft’s States of Grace • The Good • Initial Out-Of-Box (OOB) Grace • First 30 days after installation for all VL editions except • Windows Server 2008: 60 days • Reset by running ‘slmgr /rearm’ or ‘sysprep /generalize’ • Licensed • Activated, renewing where required (KMS) • No user notifications – the "normal" state
Microsoft’s States of Grace • The Bad • Out-Of-Tolerance (OOT) Grace (30 days for all VL editions) • Hardware has changed enough to require re-activation • KMS expiration • Notification state • License has expired • Windows Vista SP1+ and Windows Server 2008+ • Black desktop • Hourly "non genuine" notifications
Microsoft’s States of Grace • The Ugly • Unlicensed • License sub-system cannot determine its own state (i.e. missing / corrupt binaries, data stores, etc)
VA Details KMS and MAKs Under the Covers
KMS: Key Management Service • Recommended VA method • KMS uses client / server architecture • KMS host controls activations • Volume client requests and receives activation • Host operating system • Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 • Windows 2003 SP1 +: http://microsoft.com/downloads • X86 or x64 • Can run on a virtual machine
KMS and Its Clients • By default, volume editions need a KMS environment to function normally • Without KMS they will expire, go into notification state, and notify the user
Creating a KMS Host • Obtain KMS key from volume licensing portal • Install the KMS host’s OS • Install the KMS key • SLMGR.VBS /ipk <key> • Requires elevated privileges • Activate the KMS host with Microsoft • Online activation (i.e. Internet) • SLMGR.VBS /ato • Telephone activation • SLUI.EXE 4 • Follow on-screen instructions • Each KMS key can create max of 6 different KMS hosts • Exceptions managed through the Activation Call Center
Locating A KMS Host • Direct connection • Forces client to look only at FQDN or IP of KMS host • KMS host & port added to registry • SLMGR.VBS /skms <KMS_FQDN or IP>[:<port>] • Auto-discovery • Client uses DNS to locate a KMS host by looking up service (SRV) resource records, published by the host • KMS publishes new DNS SRV record to its DNS zone: • _VLMCS._TCP (_service._protocol) • Any DNS that supports SRV records and dynamic update will accept this
KMS Client Auto-Discovery AD / DNS 0. KMS registers SRV record 1. Client queries DNS for _VLMCS SRV entries 2. DNS returns all KMS hosts that match 3. Client selects a KMS from DNS list and sends an anonymous RPC "request" 4. KMS returns current count - client self-activates if count >= required value KMS Host KMS Client
KMS Auto-Discovery Facts • KMS host doesn’t automatically publish SRV records to any other DNS zones in the forest • I.e. other child domains • You can tell KMS to manually publish records to other DNS domains / zones • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL\DnsDomainPublishList • REG_MULTI_SZ • Enter each domain on separate lines • KMS host requires rights in the target DNS zone to write SRV records • Target zone must also be able to resolve KMS host name • If DNS server in zone containing KMS is not configured as forwarder for the target zone, must add A and AAAA (IPv6) records
KMS Auto-Discovery Facts • Workgroup clients use primary DNS suffix or DNS domain issued by DHCP (option 15) • Active Directory clients use primary DNS suffix or AD DNS domain name
Enhancements to KMS Discovery Windows 7 and Windows Server 2008 R2 • Client searches for KMS host in DNS suffix list • Admin can advertise an SRV entry for KMS in one DNS zone • Most clients have DNS suffix search list • redmond.corp.microsoft.com • corp.microsoft.com • microsoft.com • Enhancement allows KMS clients with other primary DNS servers to find KMS host by walking their suffix list • Multi-domain forests require only 1 KMS entry
Enhancements to KMS Discovery Windows 7 and Windows Server 2008 R2 • DNS SRV weight & priority • Client will select KMS host based on SRV record priority and weight • Orders the list of KMS hosts DNS returns • Windows Server 2008, Windows Vista do not use • KMS clients choose a random KMS host from the list returned by DNS • Windows Server 2008 R2, Windows 7 support this • But you probably don’t need it • Disable KMS host caching (slmgr /ckhc) • Forces client to use KMS host returned by DNS query
KMS Key Groups • KMS can only support one key at a time • How can one key support different products? • Key groups • A hierarchy of licensing keys that can activate all products below them • Server Group C • Server Group B • Server Group A • Client VL
Product Key Groups Group C Windows Server 2008 Datacenter Windows Server 2008 for Itanium + Group B editions Group C Windows Server 2008 R2 Datacenter Windows Server 2008 R2 for Itanium + Group B & previous editions Group B Windows Server 2008 Enterprise Windows Server 2008 Standard + Group A editions Group B Windows Server 2008 Enterprise R2 Windows Server 2008 Standard R2 + Group A & previous editions Group A Windows Web Server 2008 Windows HPC Server 2008 +Client VL editions Group A Windows Web Server 2008 R2 Windows Server 2008 R2 HPC + Client and previous editions Client VL Windows Vista Enterprise Windows Vista Business Client VL Windows 7 Enterprise Windows 7 Professional + previous editions
KMS Activation Validity Interval • Upon initial startup, client has initial grace period • Attempts to contact KMS host every 2 hours by default • After activation, license period is set to 180 days (6 months) • Client contacts KMS every 7 days by default to renew its activation • Successful – activation validity interval reset to 180 • Failure – Client retries another KMS immediately
KMS Infrastructure ServiceRequirements • Minimal network data (~500/bytes roundtrip) • Involves crypto operations (CPU) • Client KMS request TTL: 15 seconds • Not time critical for clients • Grace periods (Initial and OOT) • 360 attempts (every 2 hours for 30 days) • Silent Renewal • Every 7 days for 180 days = 26+ attempts • Notifications • User has access to all features • User is warned as expiration date approaches • Microsoft tested KMS on one DC, with one backup • Windows Server 2008 R2 RC KMS host is a virtual machine
KMS Activation Count • Unlike MAK clients, KMS clients require regular reactivation • A KMS will hand out an unlimited # of licenses, but… • A KMS will not begin activating clients until multiple unique clients contact it (activation count) • Windows Vista / Windows 7 clients: 25 • Windows 2008 / Windows Server 2008 R2 clients: 5 • Count is ‘aged’ from KMS host after 30 days • With SP2 or Windows Server 2008 R2 or Windows 7, count can be a mix of physical and virtual • Customers deploying Windows Server 2008 as VMs only
KMS FactsGood things about KMS • Clients don’t need internet or telephone access • Nothing to back up or restore on a KMS host • Just rebuild and reinstall KMS key • Very scalable – a lightweight service • Coexists well with other server roles • Scalability is rarely the reason for more than 1 or 2 KMS servers • Complicated environments, and politics, are
KMS Monitoring with SCOM 2007 • KMS SCOM 2007 management pack • Supported platforms • Windows 2003 • Windows Vista • Windows 2008 • Report information in appendix • www.microsoft.com/downloads
MAK: Multiple Activation Key • Activation key with multiple activations • Unique per Product Group • Number of activations based on license agreement • If exposed, you can request Microsoft to close it down and issue a new one • Every MAK activation must touch Microsoft to complete successfully
MAK Facts • Client only has to be activated once • To activate, MAK client must have direct or (anonymous) proxy internet access • Else you must activate by phone • MAK activation can be added to an unattended installation or included in master image (preferred) • Remaining # of MAK activations can be viewed • Online: Microsoft Volume License Service Center (VLSC), eOpen, or MSDN • VAMT (Options -> Manage MAK Keys)
MAK Facts • Should not be your primary activation method • KMS is preferred method • Use MAKs where you can’t use KMS • Sufficient hardware changes will require reactivation • MAK activation count decremented • Each cloned or ghosted system must be activated separately • MAKs can be shut down (for example if leaked) by calling the Microsoft Activation Call Center
MAK Activation Types • Direct activation • Client activates directly with Microsoft • Internet • Phone • Proxy activation • For scenarios where clients do not have Internet access, and scale makes POTS* impractical • An intermediary (proxy) does the activation for the client • Intermediary uses the Volume Activation Management Tool (VAMT) * Plain Old Telephone System
VA UtilitiesVolume Activation Management Tool (VAMT) • Utility to automate and manage volume activation on multiple clients (where necessary) • MAK Independent Activation • Installs MAKs and allows them to activate • MAK Proxy Activation • Installs MAKs to clients without Internet access, and activates for them • KMS Activation • Installs & activates default VL keys • Version 1.1 available from Microsoft downloads • Version 1.2 (in WAIK) adds Windows 7 and Windows Server 2008 R2 support
MonitoringKMS and MAK Usage • Volume Licensing Service Center • View KMS key information • View remaining MAK activations • http://go.microsoft.com/fwlink/?LinkId=107544 • Monitor computer’s license conditions with • SMS 2003 SP3 • System Center Configuration Manager 2007 • Event Viewer on KMS hosts and clients
recommendations What to do with all this
Configuration AnalysisWhat do your networks look like? • Production network • Corporate forest and secondary trusted forests • Untrusted forests (development, mfg, etc.) • Workgroups • Secure networks with authorized firewall access to production network • "Secure zone" • Assumption: no internet access
Configuration Analysis • Isolated networks • 25+ clients • < 25 clients • Disconnected clients • Demo notebook for salesperson • No e-mail, etc. that would require regular corporate network connections
Configuration RecommendationsPrinciples • KEEP IT SIMPLE! • Just because you can do lots of configuration doesn’t mean you should • For example, using Vista as a KMS host • Use KMS as much as possible, and minimize the number of KMS hosts • If you run out of activations (i.e. 6 servers), Microsoft has an exception process to get more
Configuration RecommendationsPrinciples • Use MAKs only where you can't use KMS • You’ll probably need to design a solution to cover several scenarios • KMS port (1688 by default) should never be exposed outside the company • Access to a KMS host is the same ashanding out free volume licenses
Configuration RecommendationsEasy scenarios • Corporate forest and secondary trusting forests • KMS with DNS auto-discovery • Other zones • Assumes central or strong IT • Microsoft IT scenario • Firewalled environments (e.g. labs) that can open port 1688 • KMS • Auto-discovery vs. direct connection depends on lab DNS configuration
Configuration RecommendationsModerate scenarios • Untrusted forests (e.g. dev or test forests) • KMS • But KMS SRV, A, & perhaps AAAA records may need to be registered and maintained in each DNS zone the untrusted forest uses • Workgroups • KMS • DHCP clients probably use the corporate DNS • Static clients – no predicting • KMS SRV, A, & perhaps AAAA records may need to be registered and maintained in that non-standard DNS zone
Configuration Recommendations Moderate scenarios • ISV test labs: Systems constantly rebuilt to test customer scenarios • Simply don't activate if builds aren’t permanent • OOB grace period can be reset 3 times • Slmgr.vbs -rearm • = 120* days for all VL editions • If builds really will expire, reuse CID from the first MAK proxy activation *240 days for Windows 2008
Configuration RecommendationsComplicated scenarios • Locked down firewalled environments without any external access • MAK proxy activation • A time consuming, but hopefully infrequent task • If no MAKs, and clients > 25, then internal KMS hosts • Delegating the KMS key to more admins increases the risk of it being compromised • Admin must activate KMS itself by phone call • MAK - Activate with phone call • Not scalable
Configuration RecommendationsA simple solution • Use a standard client build? • Create a DNS CNAME record • kms.yourcompany.com • Round-robin a couple of KMS hosts behind it • Configure your build for direct connection • Slmgr.vbs –skms kms.yourcompany.com • All clients will simply go there, all the time • Bypasses auto-discovery complications
Configuration Principles (Again) • KEEP IT SIMPLE! • Just because you can do lots of configuration doesn’t mean you should • Use KMS as much as possible, and minimize the number of hosts • Corporate IT KMS for all, if politically possible • Use MAKs where you can't use KMS • You’ll probably need to design a solution to cover several scenarios • KMS port (1688 by default) should never be exposed outside the company • Access to a KMS host is the same as handing out free volume licenses
Summary • Volume Activation is here to stay • You must use it for all Microsoft new and future operating systems • The details can be confusing • Follow these design principles and you’ll be in good shape
question & answer Kalpesh.Patel@microsoft.com Sean.Deuby@advaiya.com
VA UtilitiesSLMGR.VBS • Main software licensing configuration tool • Most common switches • -ipk Install product key • -ato Activate • -dli Display license information • -xpr Expiration date for current license state • -skms Direct connection (vs. auto-discovery) • -rearm Reset OOB grace period (max 3 but 5 for Windows Vista Enterprise) • In \system32 directory