1 / 62

Licensing Your Windows Server 2008 and Windows Vista Deployments

Licensing Your Windows Server 2008 and Windows Vista Deployments. Kalpesh Patel Senior Lead Program Manager Microsoft Session Code: WSV314. Sean Deuby Senior Enterprise Solution Strategist Advaiya. Agenda. Session Goals Volume Activation Overview Details KMS MAKs Recommendations

gracie
Download Presentation

Licensing Your Windows Server 2008 and Windows Vista Deployments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Licensing Your Windows Server 2008 and Windows Vista Deployments Kalpesh Patel Senior Lead Program Manager Microsoft Session Code: WSV314 • Sean Deuby • Senior Enterprise Solution Strategist • Advaiya

  2. Agenda • Session Goals • Volume Activation Overview • Details • KMS • MAKs • Recommendations • References • Appendix

  3. Session Goals • Explain Volume Activation (VA) • Expose its unique requirements • Show typical scenarios and my recommendations • Help you understand what you need to do • Because you will need to do something • If you plan to deploy Windows OS volume versions, you need to understand VA

  4. Setting The Stage for VA* • Denial – “This can't be real” • “Microsoft wouldn't actually implement something like this!” • Anger – “Why me?” • “As if I don’t have enough to do already?!” • Bargaining – “If I do this, you’ll do that” • “Maybe if I just bought all the copies at the local computer store with a really big shopping cart…” • Depression – “Defeated” • “I REALLY don’t want to go through this” • Acceptance – “This is going to happen” • “Microsoft isn't going to change their policy just for me; guess I'd better figure it out. At least it's job security!” * With apologies to Elisabeth Kübler-Ross

  5. VA Overview What’s KMS? What’s MAK?

  6. In The Beginning: Product Activation • Retail Activation • "Unlocking" the software for use by entering a product key • Standard method for retail (e.g. Vista Home) • OEM Activation • Pre-activation by OEMs (e.g. HP), client need do nothing • Volume License Key (VLK) for Windows XP/Windows Server 2003 • For volume license customers, typically with hundreds or thousands of systems • Use of a special license key that bypasses product activation • Much more scalable than retail activation

  7. The New Kid: Volume Activation • Volume Activation is a major rework of the original • Previously one VLK was used for multiple systems • Now – systems must "activate" (validate license) with Microsoft • Aimed specifically at preventing casual copying • For example, lending a genuine disc around • Retail media still requires individual keys • Volume editions use one of two activation methods: KMS or MAK

  8. KMS and MAK • KMS • Sort of like DHCP • KMS host controls activations • Volume client requests and receives activation • MAK • A Multiple Activation Key (MAK) is like retail but allows more than one activation • Limit is dependent on agreement type with Microsoft (Open, Select, EA, etc) • Similar to MSDN Universal keys • Both use "grace periods"

  9. Microsoft’s States of Grace • The Good • Initial Out-Of-Box (OOB) Grace • First 30 days after installation for all VL editions except • Windows Server 2008: 60 days • Reset by running ‘slmgr /rearm’ or ‘sysprep /generalize’ • Licensed • Activated, renewing where required (KMS) • No user notifications – the "normal" state

  10. Microsoft’s States of Grace • The Bad • Out-Of-Tolerance (OOT) Grace (30 days for all VL editions) • Hardware has changed enough to require re-activation • KMS expiration • Notification state • License has expired • Windows Vista SP1+ and Windows Server 2008+ • Black desktop • Hourly "non genuine" notifications

  11. Microsoft’s States of Grace • The Ugly • Unlicensed • License sub-system cannot determine its own state (i.e. missing / corrupt binaries, data stores, etc)

  12. VA Details KMS and MAKs Under the Covers

  13. KMS: Key Management Service • Recommended VA method • KMS uses client / server architecture • KMS host controls activations • Volume client requests and receives activation • Host operating system • Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 • Windows 2003 SP1 +: http://microsoft.com/downloads • X86 or x64 • Can run on a virtual machine

  14. KMS and Its Clients • By default, volume editions need a KMS environment to function normally • Without KMS they will expire, go into notification state, and notify the user

  15. Creating a KMS Host • Obtain KMS key from volume licensing portal • Install the KMS host’s OS • Install the KMS key • SLMGR.VBS /ipk <key> • Requires elevated privileges • Activate the KMS host with Microsoft • Online activation (i.e. Internet) • SLMGR.VBS /ato • Telephone activation • SLUI.EXE 4 • Follow on-screen instructions • Each KMS key can create max of 6 different KMS hosts • Exceptions managed through the Activation Call Center

  16. Locating A KMS Host • Direct connection • Forces client to look only at FQDN or IP of KMS host • KMS host & port added to registry • SLMGR.VBS /skms <KMS_FQDN or IP>[:<port>] • Auto-discovery • Client uses DNS to locate a KMS host by looking up service (SRV) resource records, published by the host • KMS publishes new DNS SRV record to its DNS zone: • _VLMCS._TCP (_service._protocol) • Any DNS that supports SRV records and dynamic update will accept this

  17. KMS Client Auto-Discovery AD / DNS 0. KMS registers SRV record 1. Client queries DNS for _VLMCS SRV entries 2. DNS returns all KMS hosts that match 3. Client selects a KMS from DNS list and sends an anonymous RPC "request" 4. KMS returns current count - client self-activates if count >= required value KMS Host KMS Client

  18. KMS Auto-Discovery Facts • KMS host doesn’t automatically publish SRV records to any other DNS zones in the forest • I.e. other child domains • You can tell KMS to manually publish records to other DNS domains / zones • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL\DnsDomainPublishList • REG_MULTI_SZ • Enter each domain on separate lines • KMS host requires rights in the target DNS zone to write SRV records • Target zone must also be able to resolve KMS host name • If DNS server in zone containing KMS is not configured as forwarder for the target zone, must add A and AAAA (IPv6) records

  19. KMS Auto-Discovery Facts • Workgroup clients use primary DNS suffix or DNS domain issued by DHCP (option 15) • Active Directory clients use primary DNS suffix or AD DNS domain name

  20. Enhancements to KMS Discovery Windows 7 and Windows Server 2008 R2 • Client searches for KMS host in DNS suffix list • Admin can advertise an SRV entry for KMS in one DNS zone • Most clients have DNS suffix search list • redmond.corp.microsoft.com • corp.microsoft.com • microsoft.com • Enhancement allows KMS clients with other primary DNS servers to find KMS host by walking their suffix list • Multi-domain forests require only 1 KMS entry

  21. Enhancements to KMS Discovery Windows 7 and Windows Server 2008 R2 • DNS SRV weight & priority • Client will select KMS host based on SRV record priority and weight • Orders the list of KMS hosts DNS returns • Windows Server 2008, Windows Vista do not use • KMS clients choose a random KMS host from the list returned by DNS • Windows Server 2008 R2, Windows 7 support this • But you probably don’t need it • Disable KMS host caching (slmgr /ckhc) • Forces client to use KMS host returned by DNS query

  22. KMS Key Groups • KMS can only support one key at a time • How can one key support different products? • Key groups • A hierarchy of licensing keys that can activate all products below them • Server Group C • Server Group B • Server Group A • Client VL

  23. Product Key Groups Group C Windows Server 2008 Datacenter Windows Server 2008 for Itanium + Group B editions Group C Windows Server 2008 R2 Datacenter Windows Server 2008 R2 for Itanium + Group B & previous editions Group B Windows Server 2008 Enterprise Windows Server 2008 Standard + Group A editions Group B Windows Server 2008 Enterprise R2 Windows Server 2008 Standard R2 + Group A & previous editions Group A Windows Web Server 2008 Windows HPC Server 2008 +Client VL editions Group A Windows Web Server 2008 R2 Windows Server 2008 R2 HPC + Client and previous editions Client VL Windows Vista Enterprise Windows Vista Business Client VL Windows 7 Enterprise Windows 7 Professional + previous editions

  24. KMS Activation Validity Interval • Upon initial startup, client has initial grace period • Attempts to contact KMS host every 2 hours by default • After activation, license period is set to 180 days (6 months) • Client contacts KMS every 7 days by default to renew its activation • Successful – activation validity interval reset to 180 • Failure – Client retries another KMS immediately

  25. KMS Infrastructure ServiceRequirements • Minimal network data (~500/bytes roundtrip) • Involves crypto operations (CPU) • Client KMS request TTL: 15 seconds • Not time critical for clients • Grace periods (Initial and OOT) • 360 attempts (every 2 hours for 30 days) • Silent Renewal • Every 7 days for 180 days = 26+ attempts • Notifications • User has access to all features • User is warned as expiration date approaches • Microsoft tested KMS on one DC, with one backup • Windows Server 2008 R2 RC KMS host is a virtual machine

  26. KMS Activation Count • Unlike MAK clients, KMS clients require regular reactivation • A KMS will hand out an unlimited # of licenses, but… • A KMS will not begin activating clients until multiple unique clients contact it (activation count) • Windows Vista / Windows 7 clients: 25 • Windows 2008 / Windows Server 2008 R2 clients: 5 • Count is ‘aged’ from KMS host after 30 days • With SP2 or Windows Server 2008 R2 or Windows 7, count can be a mix of physical and virtual • Customers deploying Windows Server 2008 as VMs only

  27. KMS FactsGood things about KMS • Clients don’t need internet or telephone access • Nothing to back up or restore on a KMS host • Just rebuild and reinstall KMS key • Very scalable – a lightweight service • Coexists well with other server roles • Scalability is rarely the reason for more than 1 or 2 KMS servers • Complicated environments, and politics, are

  28. KMS Monitoring with SCOM 2007 • KMS SCOM 2007 management pack • Supported platforms • Windows 2003 • Windows Vista • Windows 2008 • Report information in appendix • www.microsoft.com/downloads

  29. MAK: Multiple Activation Key • Activation key with multiple activations • Unique per Product Group • Number of activations based on license agreement • If exposed, you can request Microsoft to close it down and issue a new one • Every MAK activation must touch Microsoft to complete successfully

  30. MAK Facts • Client only has to be activated once • To activate, MAK client must have direct or (anonymous) proxy internet access • Else you must activate by phone • MAK activation can be added to an unattended installation or included in master image (preferred) • Remaining # of MAK activations can be viewed • Online: Microsoft Volume License Service Center (VLSC), eOpen, or MSDN • VAMT (Options -> Manage MAK Keys)

  31. MAK Facts • Should not be your primary activation method • KMS is preferred method • Use MAKs where you can’t use KMS • Sufficient hardware changes will require reactivation • MAK activation count decremented • Each cloned or ghosted system must be activated separately • MAKs can be shut down (for example if leaked) by calling the Microsoft Activation Call Center

  32. MAK Activation Types • Direct activation • Client activates directly with Microsoft • Internet • Phone • Proxy activation • For scenarios where clients do not have Internet access, and scale makes POTS* impractical • An intermediary (proxy) does the activation for the client • Intermediary uses the Volume Activation Management Tool (VAMT) * Plain Old Telephone System

  33. VA UtilitiesVolume Activation Management Tool (VAMT) • Utility to automate and manage volume activation on multiple clients (where necessary) • MAK Independent Activation • Installs MAKs and allows them to activate • MAK Proxy Activation • Installs MAKs to clients without Internet access, and activates for them • KMS Activation • Installs & activates default VL keys • Version 1.1 available from Microsoft downloads • Version 1.2 (in WAIK) adds Windows 7 and Windows Server 2008 R2 support

  34. MonitoringKMS and MAK Usage • Volume Licensing Service Center • View KMS key information • View remaining MAK activations • http://go.microsoft.com/fwlink/?LinkId=107544 • Monitor computer’s license conditions with • SMS 2003 SP3 • System Center Configuration Manager 2007 • Event Viewer on KMS hosts and clients

  35. recommendations What to do with all this

  36. Configuration AnalysisWhat do your networks look like? • Production network • Corporate forest and secondary trusted forests • Untrusted forests (development, mfg, etc.) • Workgroups • Secure networks with authorized firewall access to production network • "Secure zone" • Assumption: no internet access

  37. Configuration Analysis • Isolated networks • 25+ clients • < 25 clients • Disconnected clients • Demo notebook for salesperson • No e-mail, etc. that would require regular corporate network connections

  38. Configuration RecommendationsPrinciples • KEEP IT SIMPLE! • Just because you can do lots of configuration doesn’t mean you should • For example, using Vista as a KMS host • Use KMS as much as possible, and minimize the number of KMS hosts • If you run out of activations (i.e. 6 servers), Microsoft has an exception process to get more

  39. Configuration RecommendationsPrinciples • Use MAKs only where you can't use KMS • You’ll probably need to design a solution to cover several scenarios • KMS port (1688 by default) should never be exposed outside the company • Access to a KMS host is the same ashanding out free volume licenses

  40. Configuration RecommendationsEasy scenarios • Corporate forest and secondary trusting forests • KMS with DNS auto-discovery • Other zones • Assumes central or strong IT • Microsoft IT scenario • Firewalled environments (e.g. labs) that can open port 1688 • KMS • Auto-discovery vs. direct connection depends on lab DNS configuration

  41. Configuration RecommendationsModerate scenarios • Untrusted forests (e.g. dev or test forests) • KMS • But KMS SRV, A, & perhaps AAAA records may need to be registered and maintained in each DNS zone the untrusted forest uses • Workgroups • KMS • DHCP clients probably use the corporate DNS • Static clients – no predicting • KMS SRV, A, & perhaps AAAA records may need to be registered and maintained in that non-standard DNS zone

  42. Configuration Recommendations Moderate scenarios • ISV test labs: Systems constantly rebuilt to test customer scenarios • Simply don't activate if builds aren’t permanent • OOB grace period can be reset 3 times • Slmgr.vbs -rearm • = 120* days for all VL editions • If builds really will expire, reuse CID from the first MAK proxy activation *240 days for Windows 2008

  43. Configuration RecommendationsComplicated scenarios • Locked down firewalled environments without any external access • MAK proxy activation • A time consuming, but hopefully infrequent task • If no MAKs, and clients > 25, then internal KMS hosts • Delegating the KMS key to more admins increases the risk of it being compromised • Admin must activate KMS itself by phone call • MAK - Activate with phone call • Not scalable

  44. Configuration RecommendationsA simple solution • Use a standard client build? • Create a DNS CNAME record • kms.yourcompany.com • Round-robin a couple of KMS hosts behind it • Configure your build for direct connection • Slmgr.vbs –skms kms.yourcompany.com • All clients will simply go there, all the time • Bypasses auto-discovery complications

  45. Configuration Principles (Again) • KEEP IT SIMPLE! • Just because you can do lots of configuration doesn’t mean you should • Use KMS as much as possible, and minimize the number of hosts • Corporate IT KMS for all, if politically possible • Use MAKs where you can't use KMS • You’ll probably need to design a solution to cover several scenarios • KMS port (1688 by default) should never be exposed outside the company • Access to a KMS host is the same as handing out free volume licenses

  46. Summary • Volume Activation is here to stay • You must use it for all Microsoft new and future operating systems • The details can be confusing • Follow these design principles and you’ll be in good shape

  47. question & answer Kalpesh.Patel@microsoft.com Sean.Deuby@advaiya.com

  48. appendix

  49. VA UtilitiesSLMGR.VBS • Main software licensing configuration tool • Most common switches • -ipk Install product key • -ato Activate • -dli Display license information • -xpr Expiration date for current license state • -skms Direct connection (vs. auto-discovery) • -rearm Reset OOB grace period (max 3 but 5 for Windows Vista Enterprise) • In \system32 directory

More Related