Document 6484052

Transcription

Document 6484052
Acronyms
Volume License Basics
Volume Activation Key Management
AD DS
Active Directory Domain Services
Volume license offering for Windows 7 is an upgrade license and requires
a qualifying Windows® client operating system. Volume License offerings
for Windows Server 2008 R2 are full licenses.
VL keys are organized by Product Group.
Customers receive 1 MAK per group and 1 KMS per
Product Group.
VLSC allows management of VL agreements, download of licensed
products, provides access to product keys, viewing of Microsoft License
Statements, and reporting of VL entitlements.
CIL
Computer Information List
CMID
Client Machine ID
With volume license media, no product key is required during setup and
there is a 30 day grace period to activate software after installation.
DNS
Domain Name System
Volume license customers typically get media kits for Windows 7 and
Windows Server 2008 R2.
IID
Installation ID
For more information:
http://www.microsoft.com/licensing
https://licensing.microsoft.com/eLicense
Volume
Volume Product
Product Group
Group Contains
Contains
Windows Vista and Windows Server 2008 KMS keys follow the same
hierarchy (groups VL, A, B, C) as Windows 7 and Windows Server 2008 R2.
The primary difference to note is that the Windows 7 and Windows Server
2008 R2 KMS keys can be used to activate down-level operating systems as
well (Windows Vista and Windows Server 2008).
Windows Client VL
Windows 7 Professional
Windows 7 Enterprise
Server Group A – Windows Server 2008 R2
Windows Web Server 2008 R2
Windows Server 2008 R2 HPC Edition
Windows HPC Server 2008 R2
Server Group B – Windows Server 2008 R2
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Server Group C – Windows Server 2008 R2
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 for Itanium-based Systems
MAK
Multiple Activation Key
MAK Keys
Windows Vista and Windows Server 2008 MAK keys follow the same
hierarchy (groups VL, A, B, C) as Windows 7 and Windows Server 2008 R2.
KMS Activation Threshold Examples
DNS SRV Record: _vlmcs._tcp
OS
Operating System
1
One time – Phone or Online
SRV
DNS Service Resource Record
2
Install
Key
4 Discover KMS
Register
DNS
5
KMS Host
Service
8
VLSC
Volume License Service Center
6
Windows Server 2008 R2
KMS Host
SP
Service Pack
5
7
Number of...
Activation
Windows Windows
Count
Servers Clients On KMS Host
CMID / Date Stamp
Machine1 CMID 7/11/08 00:00:00
Machine2 CMID 7/11/08 00:00:00
...maximum of 50 CMIDs cached for 30 days
VAMT
Volume Activation Management Tool
8
Windows 7
Client Machine ID (CMID) – Value cached (with
timestamp) on the KMS host during activation. Date
is updated on client renewal.
VPN
Virtual Private Network
WAN
Wide Area Network
Install KMS host key on designated system using SLMGR Command.
2
KMS host is activated with the KMS key using Microsoft’s Hosted Activation Services.
3
If enabled, the KMS Service registers SRV resource records in DNS each time KMS
Service is started and once per day.
1
5
Windows Server Only
1
4
5
Windows Server Only
1
1
2
None
WMI
Windows Management Instrumentation
5
4
22
26
XML
Extensible Markup Language
KMS host returns activation count to client.
8
KMS client evaluates count vs. license policy and activates itself if the activation threshold is met.
· Store KMS host Product ID, intervals, and client hardware ID in license store.
· On success automatically attempt to renew activation every 7 days (default).
One time – Phone or Online
Initial
Installation
0
15
30
KMS activation threshold is cumulative between OS
editions, and physical and virtual machines.
Install Machine
Initial Grace (OOB)
30d
90
60
Rearm Machine
Initial Grace (OOB)
30d
Rearm Machine
Initial Grace (OOB)
30d
Rearm Machine
Initial Grace (OOB)
30d
2
3
Rearm Machine
3 times per machine
Windows Server® 2008 R2
5
MAK
2
Windows® 7
MAK Reference
Information
Distribute MAK using VAMT, as part of an image, using the change product
key wizard or using a WMI script.
2
MAK client(s) connect once to Microsoft via Internet (SSL) for activation or
use telephone. Significant hardware changes will require reactivation.
The Multiple Activation Key (MAK)
is used for one-time perpetual
activation with Microsoft’s hosted
activation services. MAK
Independent activation is via
phone or online.
Each MAK has a predetermined
number of allowed activations,
based on an organization’s
volume license agreement.
1
Find machine(s) from Microsoft Active Directory or through network
discovery APIs.
2
Apply MAK and collect Installation ID (IID) using WMI.
3
Optionally export machine information to XML file (Computer Information List
- CIL).
Connect to Microsoft over Internet (SSL) and obtain corresponding
Confirmation ID (CID). Optionally update CIL XML file with CIDs.
5
CIL XML file saved with VAMT
can contain computers, MAK
keys, CIDs, and other machine
information used during
activation.It is also possible to
save the CIL without any sensitive
data (IID and Product ID only).
Activate MAK Proxy client(s) by applying CID (optionally import updated XML
file first). Significant hardware changes will require reactivation.
Volume Activation License States
150
Notifications
2
5
1
4
Use DNS to enable automatic discovery of the KMS
hosts; Add Priority and Weight parameters to define which
KMS host to balance traffic among multiple hosts
120
MAK
Volume Activation
Management Tool
(VAMT)
Microsoft Windows Volume Activation Timeline
Days
Internet
MAK Proxy Using VAMT
Each KMS host is autonomous (no replication of data
between hosts).
7
Server Group C
MAK Independent Activation
Configurable parameters (KMS host) are Renewal Interval
(7d), Retry Interval (2h), and Port (1688)
KMS host adds CMID to table.
Server Group C –
Windows Server 2008 R2
Understanding the MAK Activation Process
Discover KMS host using registry entry. If no entry then query DNS for KMS SRV record.
6
Server Group B
1
Windows Client and
Server
KMS clients are activated for 180 days.
Send RPC request to KMS host on 1688/TCP by default (~250b).
· Generate client machine ID (CMID).
· Assemble and sign request (AES encryption).
· On failure, retry (2 hours for machine in Grace, 7 days for (KMS) activated machine).
Server Group B –
Windows Server 2008 R2
Remote WMI (local admin required)
Firewall – exception, Local subnet (default)
Each KMS key can activate 6 KMS hosts up to 10 times
each. There are no limits on the number of clients that
can be activated.
KMS Client interaction with KMS Host
4
Server Group A
®
Computer
Information
List (CIL) –
XML File
Default activation method for volume builds of Windows
7,Windows Server 2008 R2, Windows Vista and Windows
Server 2008.
1
Server Group A –
Windows Server 2008 R2
MAK
2
KMS Reference Information
KMS Host Setup
VLSC
Volume License Service Center
Active Directory
What OS will
Activate?
4
Understanding the KMS Activation Process
VL
Volume License
What
What Systems
Systems Are
Are Activated
Activated
With
With This
This MAK
MAK Key?
Key?
Windows 7 Client VL Group
Volume
Volume Product
Product Group
Group
1
The activation threshold for Windows client (Windows 7
and Windows Vista) is twenty-five computers. For
Windows server (Windows Server 2008 R2 and Windows
Server 2008) it is five computers. This count is
cumulative and can contain both clients and servers.
7
Server Group C –
Windows Server 2008 R2
Send IID and Receive CID
4
Beginning with Service Pack 2 for Windows Vista and
Windows Server 2008, the threshold includes both
physical and virtual machines.
DNS
Server Group A
Server Group B
Windows 7 Client VL Group
Server Group A
Server Group B
Server Group C
Windows 7 Client VL Group
Microsoft® Hosted Activation Services
Confirmation ID (CID):
Activation response from
Microsoft
KMS requires a minimum number of computers to
connect within a 30 day period, called the activation
threshold, to activate KMS client machines.
3
KMS
Server Group B –
Windows Server 2008 R2
One-time Activation with Microsoft’s Hosted Activation Services
Customer-Hosted Local Activation Service
Internet
Server Group A
Windows 7 Client VL Group
Multiple Activation Key (MAK)
Microsoft Hosted Activation Services
OOT
Out-of-Tolerance
Server Group A –
Windows Server 2008 R2
Windows Client VL
MAK keys are lateral in nature. This means they activate the products
within a particular Volume Product Group only. For example, to MAK
activate Windows 7, you will use the Windows Client VL MAK key for
Windows 7. To MAK activate Windows Vista, you will use the Windows
Client VL MAK key for Windows Vista.
Key Management Service (KMS)
OOB
Out-of-Box
Windows Client VL
KMS host on a Windows client operating system can only activate Windows
clients (Windows 7 and Windows Vista). KMS host on Windows Server
operating system can activate both clients and servers.
KMS
Key Management Service
MVLS
Microsoft Volume Licensing
Services
KMS keys are hierarchical in nature. The KMS Host key is used to activate
the KMS service on a designated host system. The KMS Client key is a
generic key installed by default on volume media. The KMS client keys are
non-customer specific (one key per product edition) and can be found in the
prescriptive guidance on TechNet or in VAMT. This key is also used to
transition a MAK activated system to a KMS client.
KMS Host Key Hierarchy
CID
Confirmation ID
What
What Clients
Clients Are
Are Activated
Activated By
By
aa KMS
KMS Host
Host With
With This
This Key?
Key?
Windows 7 Client VL Group
Volume
Volume Product
Product Group
Group
KMS Keys
Volume License Keys
180
210
Windows
Activation
2.0 Operation
Operations
Windows
Activation
235
A Windows 7 or Windows Server 2008 R2 machine can be in one of 3
states: Grace, Licensed, or Notifications.
Activation can be performed anytime when the system is in grace.
1 Machine is in Out-Of-Box (OOB) grace after initial installation.
Initial Grace (OOB) = 30 days for Windows 7 and Windows Server 2008 R2.
2 To activate, install a product key (MAK) and activate online/via phone or
discover a KMS host (KMS) and activate over the network.
Out of Tolerance (OOT) grace = 30 days.
3 If a machine fails to activate then it will transition to Notifications. If a
machine fails to reactivate, it will transition to OOT then Notifications.
All editions can be Rearmed up to 3 times.
4 A machine can transition from Notifications to Licensed by following Step 2 .
5 For significant hardware changes the machine may fall Out-of-Tolerance
(OOT) and enter grace. This will happen if KMS activation expires as well.
A machine can transition from grace by activating (Step 2 ).
6 If a machine fails an online validation then it will transition to Notifications.
This machine is non-genuine.
Install MAK Key
Activate with Microsoft (phone or internet)
Machine
Successful activation from OOB – Indefinite
MAK
7 To activate a non-genuine machine, follow Step 2 and validate (http://
www.microsoft.com/genuine) to transition from Notifications to Licensed.
Hardware
Change
Out of Tolerance
(OOT) Grace
30d
Notifications
KMS Activation
Grace
(Not Licensed)
KMS Host
Successfully Activated - Indefinite
Same behavior as a MAK activated machine, including hardware change
Notifications
Install
1
Machine
Successful activation from OOB
180d
7d
OOT Grace
30d
Renewal attempt
Every 7d
OOT Grace - 30d
Reactivation attempt every 2h
Notifications
Machine will automatically
activate as soon as it can
discover the KMS host.
Volume Activation Resources
Secure
Branch office, secure network
segment, Bastion host
Well-connected LAN, zoned
Recomendations
Management Option
Notifications
Grace period expiration: must
activate or reactivate.
Validation failure: must
activate with authorized key
and pass validation.
KMS Management Pack for System Center Operations Manager 2007
http://go.microsoft.com/fwlink/?LinkId=110332
All
Volume Activation
Management Tool (VAMT)
MAK / MAK Proxy
System Center Operations
Manager 2007
KMS
Ethernet
KMS update for Windows Vista and Windows Server 2008
http://support.microsoft.com/kb/968912
KMS 1.2 for Windows Server 2003
http://support.microsoft.com/kb/968915
Core KMS
Host
If firewalls can be opened between clients and existing KMS host:
Use KMS host(s) in Core network
Tools to monitor and manage the activation status of volume license editions of
Windows 7, Windows Vista, Windows Server 2008 R2 and Windows Server 2008.
Activation Methods
Built in capabilities
If physical and virtual machines ≥ KMS activation threshold:
Small organization (<100 machines): KMS host = 1
Medium organization (>100 machines): KMS host ≥ 1
Enterprise: KMS host > 1
If physical and virtual machines ≤ KMS activation threshold:
MAK (phone or internet)
MAK Proxy
3
Notifications
Monitoring and Management Tools
Volume Activation Management Tool (VAMT): VAMT 1.2 is a part of Windows
Automated Installation Kit (AIK)
http://go.microsoft.com/fwlink/?LinkId=136976
Determine activation methods by assessing how different groups of computers connect to the network
Connected LAN
Most common scenario
3
OOT Grace
Deployment and Management
KMS is the recommended activation method for computers that are well connected to the organization's core network or that have periodic
connectivity. MAK activation is the recommended activation method for computers that are offsite with limited connectivity or that cannot connect
to the core network, even intermittently.
Core
5
Machine
180d
Planning for Activation
Infrastructure Options
2
Notifications
Hardware
Change
Machine
Successfully activated machine
180d
OOB Grace
Notifications
Machine
Successful renew at 7d
Every renewal restarts 180d
4
6
Fail WGA validation
2
Install KMS Host Key
Activate with Microsoft (phone or internet)
KMS
Install key
Install Machine
Initial Grace (OOB)
30d Attempt every 2h
7
Activate
Install Machine
Initial Grace (OOB)
30d
(Activated)
Activate and validate
Machine can be activated at
any time online or via phone.
Licensed
Licensed
Machine
Successful activation from OOT - Indefinite
HW OOT or
KMS expires
MAK
Activate
MAK
Grace
expires
Machine
Successful activation from OOB – Indefinite
Grace
expires
Install key
Install Machine
Initial Grace (OOB)
30d
Activate
MAK Activation
Install Machine
Initial Grace (OOB)
30d
System Center Configuration
Manager 2007 R2
Notes
SLMGR VBS and SLUI.EXE
WMI Interface
Event Logs
Discovery via AD DS , Workgroup, IP or machine name
Proxy Activate one or more machines with Microsoft
Cache CIDs and reapply to rebuild/reimage hardware
Event Reporting and health monitoring
Collect and report activation client data
http://technet.microsoft.com/en-us/library/bb680578.aspx
All
Volume Activation Image Management
If policy prevents firewall modification:
If physical and virtual machines > KMS activation threshold, use a local KMS host
MAK (phone or internet) or MAK Proxy
The following process diagram explains how to manage image creation and the Rearm count. Rearm is used to reset the activation timer (back to OOB Grace).
1 The /generalize parameter for Sysprep.exe resets the activation timer, security identifier, and other important parameters. Resetting the activation timer prevents the image’s grace period from expiring
before the image is deployed. Each time /generalized is used, the Rearm count is reduced by one. Once a system has a Rearm=0, /generalize may not longer be used to create a reference image.
If physical and virtual machines ≥ KMS activation threshold:
KMS host = 1 (per isolated network)
2
Isolated
Isolated, Lab/Development,
or Short Term Use
If physical and virtual machines ≤ KMS activation threshold:
No activation (rearm)
MAK (phone)
MAK Proxy (Sneakernet)
Roaming
Or
Disconnected
No connectivity to the
internet/Core
Roaming machines connect
periodically at Core or via VPN
For clients that connect periodically to Core:
Use the KMS host(s) in Core network
For clients that never connect to Core or have no internet access:
MAK (phone)
For air-gapped networks:
If physical and virtual machines ≥ KMS activation threshold,
Small organization: KMS host = 1
Medium organization: KMS host ≥ 1
Enterprise: KMS host > 1
If physical and virtual machines ≤ KMS activation threshold,
MAK or MAK Proxy (Sneakernet)
Where the Rearm = 0, activating with KMS will increase the count by 1, thereby allowing /generalize to create a new reference image.
1
Install OS and
applications on
Reference System
Sysprep /
generalize
Install
Update 1
Archive Reference
Image
(Rearm = 2)
Archive
Reference Image
(Rearm = 2)
Install
Update 1
Sysprep /
generalize
Archive Reference
Image
(Rearm = 1)
Sysprep /
generalize
Archive Reference
Image
(Rearm = 1)
Archive Reference
Image
(Rearm = 2)
Install
Update 2
Sysprep /
generalize
2
Archive Reference
Image
(Rearm = 0)
Install
Update 1& 2
Activate with KMS
(Rearm = 1)
Install
Update 1
Sysprep /
generalize
Activate with KMS
(Rearm = 1)
New Reference Image #1
(Rearm = 0)
Install
Update 2
Sysprep /
generalize
New Reference Image #2
(Rearm = 0)
Sysprep /
generalize
Archive Reference
Image
(Rearm = 1)
Microsoft Windows Volume Activation Reference Guide
More information is available on the Volume
Activation Center on TechNet at
http://www.technet.com/volumeactivation
Publication Date: October 2009
More information is available at TechNet Windows 7
Springboard http://www.microsoft.com/springboard
©2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. The information in this document represents the view of Microsoft on the content. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.