Fermilab KMS

1. Fermilab KMS Experiences with Microsoft’s Key Management Server HEPiX Nov 5, 2007 Fermilab KMS Experiences

2. What is KMS? • With Vista (and Windows Server 2008) Microsoft introduces new software activation • Enterprise customers can now have a central server for activation • No need to give out installation codes • Reduces threat of stolen keys being used by hackers HEPiX Nov 5, 2007 Fermilab KMS Experiences

3. KMS – Activated Vista system HEPiX Nov 5, 2007 Fermilab KMS Experiences

4. KMS – System not activated HEPiX Nov 5, 2007 Fermilab KMS Experiences

5. KMS and Vista Systems • Vista can be installed without activation…but… • After 30 days, it is no longer useable • Once activated, system good for 180 days • Every 7 days, Vista will try to contact KMS server again, and extend activation back to 180 days • Once deactivated, you go into ‘degraded’ mode HEPiX Nov 5, 2007 Fermilab KMS Experiences

6. KMS – The Good, the Bad, and the Ugly • Easy to install • Originally only ran on Vista or ‘Longhorn’ server • On 03/22/07 the service can now run on Windows 2003 server • Must have 25 active activations requests, or the KMS server will not activate anyone • Unless you have a MOM server, there are no reports HEPiX Nov 5, 2007 Fermilab KMS Experiences

7. KMS – Build your own report • Every time someone tries to ‘activate’, an event record is generated on the KMS server • Event record is part of special ‘Key Management Service’ records HEPiX Nov 5, 2007 Fermilab KMS Experiences

8. KMS – The event record • Event Type: Information • Event Source: KmsRequests • Event Category: None • Event ID: 12290 • User: N/A • Computer: kms-server • Description: • An activation request has been processed. • Info: • 0x0,25,PPD101835.dhcp.fnal.gov,bb99473f-3fb3-4e7c-9e6e-1b711e5b4ae8,2007/10/31 11:57,0,1,257764,cfd8ff08-c0d7-452b-9f60-ef5c70c32094 HEPiX Nov 5, 2007 Fermilab KMS Experiences

9. KMS Commands On the KMS server issue the following to get count of current number of activated systems: cscript %windir%\system32\slmgr.vbs -dli HEPiX Nov 5, 2007 Fermilab KMS Experiences

10. KMS Activation count • KMS will not activate any system until 25 different systems have requested activation • Virtual machines do not count • Can not simply re-name a machine to ‘fool’ the count • Must maintain 25 active requests. If count falls below 25, then activation stops again HEPiX Nov 5, 2007 Fermilab KMS Experiences

11. KMS – Fun with DNS KMS server dynamically updates DNS with a special service record. This allows Vista systems to automatically find your KMS server. NOTE: port 1688 needs to be open to your systems on-site, but blocked from off-site HEPiX Nov 5, 2007 Fermilab KMS Experiences

12. KMS – Manual activation • If you run into DNS issues, the client can manually issue activation request • Command must be run from user ‘administrator’ on client machine • First - Tell client name of KMS server: • Cscript slmgr.vbs –skms dns-name-of-kms-server • Second - Request activation: • Cscript slmgr.vbs -ato HEPiX Nov 5, 2007 Fermilab KMS Experiences

13. KMS – Degraded mode • If client machine fails to get activation, the machine goes to degraded mode • Degraded mode basically only allows user to activate • Can not fool system by changing system date • May not be able to start VPN software when in degraded mode • Can extend activation if client can not contact your KMS server • Slmgr -rearm HEPiX Nov 5, 2007 Fermilab KMS Experiences

14. KMS – Additional info • You can have multiple KMS servers … but… • Multiple KMS servers do not communicate to each other (each one will need to have 25 active requests) • The KMS server does not report any info to Microsoft • Microsoft may use KMS for future application software activation HEPiX Nov 5, 2007 Fermilab KMS Experiences