Licensing Your Windows Server 2008 and Windows Vista

Licensing Your Windows Server 2008 and Windows Vista Deployments Sean Deuby Senior Enterprise Solution Strategist Advaiya Kalpesh Patel Senior Lead Program Manager Microsoft Session Code: WSV 314

Agenda Session Goals Volume Activation Overview Details KMS MAKs Recommendations References Appendix

Session Goals Explain Volume Activation (VA) Expose its unique requirements Show typical scenarios and my recommendations Help you understand what you need to do Because you will need to do something If you plan to deploy Windows OS volume versions, you need to understand VA

Setting The Stage for VA* Denial – “This can't be real” “Microsoft wouldn't actually implement something like this!” Anger – “Why me? ” “As if I don’t have enough to do already? !” Bargaining – “If I do this, you’ll do that” “Maybe if I just bought all the copies at the local computer store with a really big shopping cart…” Depression – “Defeated” “I REALLY don’t want to go through this” Acceptance – “This is going to happen” “Microsoft isn't going to change their policy just for me; guess I'd better figure it out. At least it's job security!” * With apologies to Elisabeth Kübler-Ross

VA Overview What’s KMS? What’s MAK?

In The Beginning: Product Activation Retail Activation "Unlocking" the software for use by entering a product key Standard method for retail (e. g. Vista Home) OEM Activation Pre-activation by OEMs (e. g. HP), client need do nothing Volume License Key (VLK) for Windows XP/Windows Server 2003 For volume license customers, typically with hundreds or thousands of systems Use of a special license key that bypasses product activation Much more scalable than retail activation

The New Kid: Volume Activation is a major rework of the original Previously one VLK was used for multiple systems Now – systems must "activate" (validate license) with Microsoft Aimed specifically at preventing casual copying For example, lending a genuine disc around Retail media still requires individual keys Volume editions use one of two activation methods: KMS or MAK

KMS and MAK KMS Sort of like DHCP KMS host controls activations Volume client requests and receives activation MAK A Multiple Activation Key (MAK) is like retail but allows more than one activation Limit is dependent on agreement type with Microsoft (Open, Select, EA, etc) Similar to MSDN Universal keys Both use "grace periods"

Microsoft’s States of Grace The Good Initial Out-Of-Box (OOB) Grace First 30 days after installation for all VL editions except Windows Server 2008: 60 days Reset by running ‘slmgr /rearm’ or ‘sysprep /generalize’ Licensed Activated, renewing where required (KMS) No user notifications – the "normal" state

Microsoft’s States of Grace The Bad Out-Of-Tolerance (OOT) Grace (30 days for all VL editions) Hardware has changed enough to require re-activation KMS expiration Notification state License has expired Windows Vista SP 1+ and Windows Server 2008+ Black desktop Hourly "non genuine" notifications

Microsoft’s States of Grace The Ugly Unlicensed License sub-system cannot determine its own state (i. e. missing / corrupt binaries, data stores, etc)

VA Details KMS and MAKs Under the Covers

KMS: Key Management Service Recommended VA method KMS uses client / server architecture KMS host controls activations Volume client requests and receives activation Host operating system Windows Vista, Windows 7, Windows Server 2008 R 2 Windows 2003 SP 1 +: http: //microsoft. com/downloads X 86 or x 64 Can run on a virtual machine

KMS and Its Clients By default, volume editions need a KMS environment to function normally Without KMS they will expire, go into notification state, and notify the user

Creating a KMS Host Obtain KMS key from volume licensing portal Install the KMS host’s OS Install the KMS key SLMGR. VBS /ipk <key> Requires elevated privileges Activate the KMS host with Microsoft Online activation (i. e. Internet) SLMGR. VBS /ato Telephone activation SLUI. EXE 4 Follow on-screen instructions Each KMS key can create max of 6 different KMS hosts Exceptions managed through the Activation Call Center

Locating A KMS Host Direct connection Forces client to look only at FQDN or IP of KMS host & port added to registry SLMGR. VBS /skms <KMS_FQDN or IP>[: <port>] Auto-discovery Client uses DNS to locate a KMS host by looking up service (SRV) resource records, published by the host KMS publishes new DNS SRV record to its DNS zone: _VLMCS. _TCP (_service. _protocol) Any DNS that supports SRV records and dynamic update will accept this

KMS Client Auto-Discovery AD / DNS 1. Client queries DNS for _VLMCS SRV entries 2. DNS returns all KMS hosts that match 0. KMS registers SRV record 3. Client selects a KMS from DNS list and sends an anonymous 4. KMS returns current count RPC "request" client self-activates if count >= required value KMS Client KMS Host

KMS Auto-Discovery Facts KMS host doesn’t automatically publish SRV records to any other DNS zones in the forest I. e. other child domains You can tell KMS to manually publish records to other DNS domains / zones HKLMSOFTWAREMicrosoftWindows NT Current. VersionSLDns. Domain. Publish. List REG_MULTI_SZ Enter each domain on separate lines KMS host requires rights in the target DNS zone to write SRV records Target zone must also be able to resolve KMS host name If DNS server in zone containing KMS is not configured as forwarder for the target zone, must add A and AAAA (IPv 6) records

KMS Auto-Discovery Facts Workgroup clients use primary DNS suffix or DNS domain issued by DHCP (option 15) Active Directory clients use primary DNS suffix or AD DNS domain name

Enhancements to KMS Discovery Windows 7 and Windows Server 2008 R 2 Client searches for KMS host in DNS suffix list Admin can advertise an SRV entry for KMS in one DNS zone Most clients have DNS suffix search list redmond. corp. microsoft. com Enhancement allows KMS clients with other primary DNS servers to find KMS host by walking their suffix list Multi-domain forests require only 1 KMS entry

Enhancements to KMS Discovery Windows 7 and Windows Server 2008 R 2 DNS SRV weight & priority Client will select KMS host based on SRV record priority and weight Orders the list of KMS hosts DNS returns Windows Server 2008, Windows Vista do not use KMS clients choose a random KMS host from the list returned by DNS Windows Server 2008 R 2, Windows 7 support this But you probably don’t need it Disable KMS host caching (slmgr /ckhc) Forces client to use KMS host returned by DNS query

KMS Key Groups KMS can only support one key at a time How can one key support different products? Key groups A hierarchy of licensing keys that can activate all products below them Server Group C Server Group B Server Group A Client VL

Product Key Groups Group C Windows Server 2008 Datacenter Windows Server 2008 for Itanium + Group B editions Group C Windows Server 2008 R 2 Datacenter Windows Server 2008 R 2 for Itanium + Group B & previous editions Group B Windows Server 2008 Enterprise Windows Server 2008 Standard + Group A editions Group B Windows Server 2008 Enterprise R 2 Windows Server 2008 Standard R 2 + Group A & previous editions Group A Windows Web Server 2008 Windows HPC Server 2008 +Client VL editions Group A Windows Web Server 2008 R 2 Windows Server 2008 R 2 HPC + Client and previous editions Client VL Windows Vista Enterprise Windows Vista Business Client VL Windows 7 Enterprise Windows 7 Professional + previous editions

KMS Activation Validity Interval Upon initial startup, client has initial grace period Attempts to contact KMS host every 2 hours by default After activation, license period is set to 180 days (6 months) Client contacts KMS every 7 days by default to renew its activation Successful – activation validity interval reset to 180 Failure – Client retries another KMS immediately

KMS Infrastructure Service Requirements Minimal network data (~500/bytes roundtrip) Involves crypto operations (CPU) Client KMS request TTL: 15 seconds Not time critical for clients Grace periods (Initial and OOT) 360 attempts (every 2 hours for 30 days) Silent Renewal Every 7 days for 180 days = 26+ attempts Notifications User has access to all features User is warned as expiration date approaches Microsoft tested KMS on one DC, with one backup Windows Server 2008 R 2 RC KMS host is a virtual machine

KMS Activation Count Unlike MAK clients, KMS clients require regular reactivation A KMS will hand out an unlimited # of licenses, but… A KMS will not begin activating clients until multiple unique clients contact it (activation count) Windows Vista / Windows 7 clients: 25 Windows 2008 / Windows Server 2008 R 2 clients: 5 Count is ‘aged’ from KMS host after 30 days With SP 2 or Windows Server 2008 R 2 or Windows 7, count can be a mix of physical and virtual Customers deploying Windows Server 2008 as VMs only

KMS Facts Good things about KMS Clients don’t need internet or telephone access Nothing to back up or restore on a KMS host Just rebuild and reinstall KMS key Very scalable – a lightweight service Coexists well with other server roles Scalability is rarely the reason for more than 1 or 2 KMS servers Complicated environments, and politics, are

KMS Monitoring with SCOM 2007 KMS SCOM 2007 management pack Supported platforms Windows 2003 Windows Vista Windows 2008 Report information in appendix www. microsoft. com/downloads

MAK: Multiple Activation Key Activation key with multiple activations Unique per Product Group Number of activations based on license agreement If exposed, you can request Microsoft to close it down and issue a new one Every MAK activation must touch Microsoft to complete successfully

MAK Facts Client only has to be activated once To activate, MAK client must have direct or (anonymous) proxy internet access Else you must activate by phone MAK activation can be added to an unattended installation or included in master image (preferred) Remaining # of MAK activations can be viewed Online: Microsoft Volume License Service Center (VLSC), e. Open, or MSDN VAMT (Options -> Manage MAK Keys)

MAK Facts Should not be your primary activation method KMS is preferred method Use MAKs where you can’t use KMS Sufficient hardware changes will require reactivation MAK activation count decremented Each cloned or ghosted system must be activated separately MAKs can be shut down (for example if leaked) by calling the Microsoft Activation Call Center

MAK Activation Types Direct activation Client activates directly with Microsoft Internet Phone Proxy activation For scenarios where clients do not have Internet access, and scale makes POTS* impractical An intermediary (proxy) does the activation for the client Intermediary uses the Volume Activation Management Tool (VAMT) * Plain Old Telephone System

VA Utilities Volume Activation Management Tool (VAMT) Utility to automate and manage volume activation on multiple clients (where necessary) MAK Independent Activation Installs MAKs and allows them to activate MAK Proxy Activation Installs MAKs to clients without Internet access, and activates for them KMS Activation Installs & activates default VL keys Version 1. 1 available from Microsoft downloads Version 1. 2 (in WAIK) adds Windows 7 and Windows Server 2008 R 2 support

Monitoring KMS and MAK Usage Volume Licensing Service Center View KMS key information View remaining MAK activations http: //go. microsoft. com/fwlink/? Link. Id=107544 Monitor computer’s license conditions with SMS 2003 SP 3 System Center Configuration Manager 2007 Event Viewer on KMS hosts and clients

recommendations What to do with all this

Configuration Analysis What do your networks look like? Production network Corporate forest and secondary trusted forests Untrusted forests (development, mfg, etc. ) Workgroups Secure networks with authorized firewall access to production network "Secure zone" Assumption: no internet access

Configuration Analysis Isolated networks 25+ clients < 25 clients Disconnected clients Demo notebook for salesperson No e-mail, etc. that would require regular corporate network connections

Configuration Recommendations Principles KEEP IT SIMPLE! Just because you can do lots of configuration doesn’t mean you should For example, using Vista as a KMS host Use KMS as much as possible, and minimize the number of KMS hosts If you run out of activations (i. e. 6 servers), Microsoft has an exception process to get more

Configuration Recommendations Principles Use MAKs only where you can't use KMS You’ll probably need to design a solution to cover several scenarios KMS port (1688 by default) should never be exposed outside the company Access to a KMS host is the same as handing out free volume licenses

Configuration Recommendations Easy scenarios Corporate forest and secondary trusting forests KMS with DNS auto-discovery Other zones Assumes central or strong IT Microsoft IT scenario Firewalled environments (e. g. labs) that can open port 1688 KMS Auto-discovery vs. direct connection depends on lab DNS configuration

Configuration Recommendations Moderate scenarios Untrusted forests (e. g. dev or test forests) KMS But KMS SRV, A, & perhaps AAAA records may need to be registered and maintained in each DNS zone the untrusted forest uses Workgroups KMS DHCP clients probably use the corporate DNS Static clients – no predicting KMS SRV, A, & perhaps AAAA records may need to be registered and maintained in that non-standard DNS zone

Configuration Recommendations Moderate scenarios ISV test labs: Systems constantly rebuilt to test customer scenarios Simply don't activate if builds aren’t permanent OOB grace period can be reset 3 times Slmgr. vbs -rearm = 120* days for all VL editions If builds really will expire, reuse CID from the first MAK proxy activation *240 days for Windows 2008

Configuration Recommendations Complicated scenarios Locked down firewalled environments without any external access MAK proxy activation A time consuming, but hopefully infrequent task If no MAKs, and clients > 25, then internal KMS hosts Delegating the KMS key to more admins increases the risk of it being compromised Admin must activate KMS itself by phone call MAK - Activate with phone call Not scalable

Configuration Recommendations A simple solution Use a standard client build? Create a DNS CNAME record kms. yourcompany. com Round-robin a couple of KMS hosts behind it Configure your build for direct connection Slmgr. vbs –skms kms. yourcompany. com All clients will simply go there, all the time Bypasses auto-discovery complications

Configuration Principles (Again) KEEP IT SIMPLE! Just because you can do lots of configuration doesn’t mean you should Use KMS as much as possible, and minimize the number of hosts Corporate IT KMS for all, if politically possible Use MAKs where you can't use KMS You’ll probably need to design a solution to cover several scenarios KMS port (1688 by default) should never be exposed outside the company Access to a KMS host is the same as handing out free volume licenses

Summary Volume Activation is here to stay You must use it for all Microsoft new and future operating systems The details can be confusing Follow these design principles and you’ll be in good shape

question & answer Kalpesh. Patel@microsoft. com Sean. Deuby@advaiya. com

appendix

VA Utilities SLMGR. VBS Main software licensing configuration tool Most common switches -ipk Install product key -ato Activate -dli Display license information -xpr Expiration date for current license state -skms Direct connection (vs. auto-discovery) -rearm Reset OOB grace period (max 3 but 5 for Windows Vista Enterprise) In system 32 directory

VA Utilities SLUI. EXE The "kitchen sink" utility of Volume Activation Most common switches 1: Display activation status 2: Attempts activation 3: Change product key 4: Display list of telephone numbers for activation 0 x 02 a 0 x<error code> Diagnose 0 x 8007267 C error in event 12293 SLUI 0 x 02 a 0 x 8007267 C Error codes also in the VA Operations Guide

MOM KMS Reports Report Description Activation Count Summary Shows the number of KMS Activations for each Windows edition, for several historical time ranges. KMS Activity History Graphically displays: • Daily new KMS activations for each Windows edition. • Daily KMS request activity, which includes both activations and renewals, for each Windows edition. Licensing Status Summary Shows the days remaining before expiration, for machines that have connected to a KMS, for each License state. Machine Expiration Chart Graphically displays the number of machines that are in Initial, OOT/Exp or non-Genuine Grace, whose users could be locked out (Unlicensed) in the next 30 days. Machine Expiration Detail Lists machines that are in Initial, OOT/Exp or non-Genuine Grace, whose users could be locked out (Unlicensed) in the next 7 days. Virtual Machine Summary Breaks out the cumulative number of virtual and physical machines that were activated via KMS within the past 14 days, for each Windows edition.

KMS: Key Management Service Same on KMS host and KMS client Windows Server 2008, Vista: SLSVC. EXE / "Software Licensing" Windows Server 2008 R 2, Windows 7: SPPSVC. EXE / "Software Protection"

KMS Facts VL editions are by default KMS clients If you have auto-discovery configured, client doesn’t need to do anything A KMS doesn’t pay attention to license tracking Remembers up to last 50 activations just for service tracking KMS also don’t pay attention to each other Each KMS host can activate an unlimited number of clients

KMS Facts Up to 6 KMS hosts can be activated with one KMS key Each KMS can be re-activated up to 10 times KMS communicates with clients on TCP port 1688 KMS clients in labs need 1688 allowed on firewall for TCP inbound / outbound Unlike MAKs, KMS clients don’t touch Microsoft The KMS host did that for them A Vista KMS host will not support Windows 2008 KMS clients Not a good idea anyway

VAMT Proxy Activation Isolated lab network WMI firewall & network discovery exceptions must be enabled on all clients Admin installs VAMT on computer inside network VAMT discovers clients From AD (LDAP) if a domain is present Through network discovery (Net. Server. Enum()) API if a workgroup VAMT collects status from the discovered computers Admin installs a MAK on VAMT Admin uses VAMT to apply MAK to clients Admin collects CIL (Computer Information List) from selected computers

VAMT Proxy Activation Isolated lab network Admin exports CIL to removable media (e. g. USB key) Can exclude sensitive environment data Admin imports CIL into VAMT system with internet access VAMT performs a MAK Proxy Activation, obtains Confirmation IDs (CIDs) for clients in the list Admin brings key back to lab, imports the CIL into VAMT completes proxy activation by applying CIDs to clients Note: This CIL can be re-used – thus not using more MAKs – if systems are re-imaged on the same hardware

Resources Windows 7 Deployment Client – TLC Tue 5/12/2009 & Wed 5/13/2009 Volume Activation home http: //technet. microsoft. com/volumeactivation Vista Volume Activation Technical Guidance http: //tinyurl. com/2 tk 8 hs KMS on Windows Server 2003 SP 1 http: //tinyurl. com/3 cwyqu Volume Activation Management Tool (VAMT) http: //tinyurl. com/2 qwkwo

Windows Server Resources Make sure you pick up your copy of Windows Server 2008 R 2 RC from the Materials Distribution Counter Learn More about Windows Server 2008 R 2: www. microsoft. com/Windows. Server 2008 R 2 Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R 2 technologies • Over 15 booths and experts from Microsoft and our partners

Resources www. microsoft. com/teched www. microsoft. com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http: //microsoft. com/technet http: //microsoft. com/msdn Resources for IT Professionals Resources for Developers www. microsoft. com/learning Microsoft Certification and Training Resources

Complete an evaluation on Comm. Net and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U. S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.