Document 6484052
Transcription
Document 6484052
Acronyms Volume License Basics Volume Activation Key Management AD DS Active Directory Domain Services Volume license offering for Windows 7 is an upgrade license and requires a qualifying Windows® client operating system. Volume License offerings for Windows Server 2008 R2 are full licenses. VL keys are organized by Product Group. Customers receive 1 MAK per group and 1 KMS per Product Group. VLSC allows management of VL agreements, download of licensed products, provides access to product keys, viewing of Microsoft License Statements, and reporting of VL entitlements. CIL Computer Information List CMID Client Machine ID With volume license media, no product key is required during setup and there is a 30 day grace period to activate software after installation. DNS Domain Name System Volume license customers typically get media kits for Windows 7 and Windows Server 2008 R2. IID Installation ID For more information: http://www.microsoft.com/licensing https://licensing.microsoft.com/eLicense Volume Volume Product Product Group Group Contains Contains Windows Vista and Windows Server 2008 KMS keys follow the same hierarchy (groups VL, A, B, C) as Windows 7 and Windows Server 2008 R2. The primary difference to note is that the Windows 7 and Windows Server 2008 R2 KMS keys can be used to activate down-level operating systems as well (Windows Vista and Windows Server 2008). Windows Client VL Windows 7 Professional Windows 7 Enterprise Server Group A – Windows Server 2008 R2 Windows Web Server 2008 R2 Windows Server 2008 R2 HPC Edition Windows HPC Server 2008 R2 Server Group B – Windows Server 2008 R2 Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise Server Group C – Windows Server 2008 R2 Windows Server 2008 R2 Datacenter Windows Server 2008 R2 for Itanium-based Systems MAK Multiple Activation Key MAK Keys Windows Vista and Windows Server 2008 MAK keys follow the same hierarchy (groups VL, A, B, C) as Windows 7 and Windows Server 2008 R2. KMS Activation Threshold Examples DNS SRV Record: _vlmcs._tcp OS Operating System 1 One time – Phone or Online SRV DNS Service Resource Record 2 Install Key 4 Discover KMS Register DNS 5 KMS Host Service 8 VLSC Volume License Service Center 6 Windows Server 2008 R2 KMS Host SP Service Pack 5 7 Number of... Activation Windows Windows Count Servers Clients On KMS Host CMID / Date Stamp Machine1 CMID 7/11/08 00:00:00 Machine2 CMID 7/11/08 00:00:00 ...maximum of 50 CMIDs cached for 30 days VAMT Volume Activation Management Tool 8 Windows 7 Client Machine ID (CMID) – Value cached (with timestamp) on the KMS host during activation. Date is updated on client renewal. VPN Virtual Private Network WAN Wide Area Network Install KMS host key on designated system using SLMGR Command. 2 KMS host is activated with the KMS key using Microsoft’s Hosted Activation Services. 3 If enabled, the KMS Service registers SRV resource records in DNS each time KMS Service is started and once per day. 1 5 Windows Server Only 1 4 5 Windows Server Only 1 1 2 None WMI Windows Management Instrumentation 5 4 22 26 XML Extensible Markup Language KMS host returns activation count to client. 8 KMS client evaluates count vs. license policy and activates itself if the activation threshold is met. · Store KMS host Product ID, intervals, and client hardware ID in license store. · On success automatically attempt to renew activation every 7 days (default). One time – Phone or Online Initial Installation 0 15 30 KMS activation threshold is cumulative between OS editions, and physical and virtual machines. Install Machine Initial Grace (OOB) 30d 90 60 Rearm Machine Initial Grace (OOB) 30d Rearm Machine Initial Grace (OOB) 30d Rearm Machine Initial Grace (OOB) 30d 2 3 Rearm Machine 3 times per machine Windows Server® 2008 R2 5 MAK 2 Windows® 7 MAK Reference Information Distribute MAK using VAMT, as part of an image, using the change product key wizard or using a WMI script. 2 MAK client(s) connect once to Microsoft via Internet (SSL) for activation or use telephone. Significant hardware changes will require reactivation. The Multiple Activation Key (MAK) is used for one-time perpetual activation with Microsoft’s hosted activation services. MAK Independent activation is via phone or online. Each MAK has a predetermined number of allowed activations, based on an organization’s volume license agreement. 1 Find machine(s) from Microsoft Active Directory or through network discovery APIs. 2 Apply MAK and collect Installation ID (IID) using WMI. 3 Optionally export machine information to XML file (Computer Information List - CIL). Connect to Microsoft over Internet (SSL) and obtain corresponding Confirmation ID (CID). Optionally update CIL XML file with CIDs. 5 CIL XML file saved with VAMT can contain computers, MAK keys, CIDs, and other machine information used during activation.It is also possible to save the CIL without any sensitive data (IID and Product ID only). Activate MAK Proxy client(s) by applying CID (optionally import updated XML file first). Significant hardware changes will require reactivation. Volume Activation License States 150 Notifications 2 5 1 4 Use DNS to enable automatic discovery of the KMS hosts; Add Priority and Weight parameters to define which KMS host to balance traffic among multiple hosts 120 MAK Volume Activation Management Tool (VAMT) Microsoft Windows Volume Activation Timeline Days Internet MAK Proxy Using VAMT Each KMS host is autonomous (no replication of data between hosts). 7 Server Group C MAK Independent Activation Configurable parameters (KMS host) are Renewal Interval (7d), Retry Interval (2h), and Port (1688) KMS host adds CMID to table. Server Group C – Windows Server 2008 R2 Understanding the MAK Activation Process Discover KMS host using registry entry. If no entry then query DNS for KMS SRV record. 6 Server Group B 1 Windows Client and Server KMS clients are activated for 180 days. Send RPC request to KMS host on 1688/TCP by default (~250b). · Generate client machine ID (CMID). · Assemble and sign request (AES encryption). · On failure, retry (2 hours for machine in Grace, 7 days for (KMS) activated machine). Server Group B – Windows Server 2008 R2 Remote WMI (local admin required) Firewall – exception, Local subnet (default) Each KMS key can activate 6 KMS hosts up to 10 times each. There are no limits on the number of clients that can be activated. KMS Client interaction with KMS Host 4 Server Group A ® Computer Information List (CIL) – XML File Default activation method for volume builds of Windows 7,Windows Server 2008 R2, Windows Vista and Windows Server 2008. 1 Server Group A – Windows Server 2008 R2 MAK 2 KMS Reference Information KMS Host Setup VLSC Volume License Service Center Active Directory What OS will Activate? 4 Understanding the KMS Activation Process VL Volume License What What Systems Systems Are Are Activated Activated With With This This MAK MAK Key? Key? Windows 7 Client VL Group Volume Volume Product Product Group Group 1 The activation threshold for Windows client (Windows 7 and Windows Vista) is twenty-five computers. For Windows server (Windows Server 2008 R2 and Windows Server 2008) it is five computers. This count is cumulative and can contain both clients and servers. 7 Server Group C – Windows Server 2008 R2 Send IID and Receive CID 4 Beginning with Service Pack 2 for Windows Vista and Windows Server 2008, the threshold includes both physical and virtual machines. DNS Server Group A Server Group B Windows 7 Client VL Group Server Group A Server Group B Server Group C Windows 7 Client VL Group Microsoft® Hosted Activation Services Confirmation ID (CID): Activation response from Microsoft KMS requires a minimum number of computers to connect within a 30 day period, called the activation threshold, to activate KMS client machines. 3 KMS Server Group B – Windows Server 2008 R2 One-time Activation with Microsoft’s Hosted Activation Services Customer-Hosted Local Activation Service Internet Server Group A Windows 7 Client VL Group Multiple Activation Key (MAK) Microsoft Hosted Activation Services OOT Out-of-Tolerance Server Group A – Windows Server 2008 R2 Windows Client VL MAK keys are lateral in nature. This means they activate the products within a particular Volume Product Group only. For example, to MAK activate Windows 7, you will use the Windows Client VL MAK key for Windows 7. To MAK activate Windows Vista, you will use the Windows Client VL MAK key for Windows Vista. Key Management Service (KMS) OOB Out-of-Box Windows Client VL KMS host on a Windows client operating system can only activate Windows clients (Windows 7 and Windows Vista). KMS host on Windows Server operating system can activate both clients and servers. KMS Key Management Service MVLS Microsoft Volume Licensing Services KMS keys are hierarchical in nature. The KMS Host key is used to activate the KMS service on a designated host system. The KMS Client key is a generic key installed by default on volume media. The KMS client keys are non-customer specific (one key per product edition) and can be found in the prescriptive guidance on TechNet or in VAMT. This key is also used to transition a MAK activated system to a KMS client. KMS Host Key Hierarchy CID Confirmation ID What What Clients Clients Are Are Activated Activated By By aa KMS KMS Host Host With With This This Key? Key? Windows 7 Client VL Group Volume Volume Product Product Group Group KMS Keys Volume License Keys 180 210 Windows Activation 2.0 Operation Operations Windows Activation 235 A Windows 7 or Windows Server 2008 R2 machine can be in one of 3 states: Grace, Licensed, or Notifications. Activation can be performed anytime when the system is in grace. 1 Machine is in Out-Of-Box (OOB) grace after initial installation. Initial Grace (OOB) = 30 days for Windows 7 and Windows Server 2008 R2. 2 To activate, install a product key (MAK) and activate online/via phone or discover a KMS host (KMS) and activate over the network. Out of Tolerance (OOT) grace = 30 days. 3 If a machine fails to activate then it will transition to Notifications. If a machine fails to reactivate, it will transition to OOT then Notifications. All editions can be Rearmed up to 3 times. 4 A machine can transition from Notifications to Licensed by following Step 2 . 5 For significant hardware changes the machine may fall Out-of-Tolerance (OOT) and enter grace. This will happen if KMS activation expires as well. A machine can transition from grace by activating (Step 2 ). 6 If a machine fails an online validation then it will transition to Notifications. This machine is non-genuine. Install MAK Key Activate with Microsoft (phone or internet) Machine Successful activation from OOB – Indefinite MAK 7 To activate a non-genuine machine, follow Step 2 and validate (http:// www.microsoft.com/genuine) to transition from Notifications to Licensed. Hardware Change Out of Tolerance (OOT) Grace 30d Notifications KMS Activation Grace (Not Licensed) KMS Host Successfully Activated - Indefinite Same behavior as a MAK activated machine, including hardware change Notifications Install 1 Machine Successful activation from OOB 180d 7d OOT Grace 30d Renewal attempt Every 7d OOT Grace - 30d Reactivation attempt every 2h Notifications Machine will automatically activate as soon as it can discover the KMS host. Volume Activation Resources Secure Branch office, secure network segment, Bastion host Well-connected LAN, zoned Recomendations Management Option Notifications Grace period expiration: must activate or reactivate. Validation failure: must activate with authorized key and pass validation. KMS Management Pack for System Center Operations Manager 2007 http://go.microsoft.com/fwlink/?LinkId=110332 All Volume Activation Management Tool (VAMT) MAK / MAK Proxy System Center Operations Manager 2007 KMS Ethernet KMS update for Windows Vista and Windows Server 2008 http://support.microsoft.com/kb/968912 KMS 1.2 for Windows Server 2003 http://support.microsoft.com/kb/968915 Core KMS Host If firewalls can be opened between clients and existing KMS host: Use KMS host(s) in Core network Tools to monitor and manage the activation status of volume license editions of Windows 7, Windows Vista, Windows Server 2008 R2 and Windows Server 2008. Activation Methods Built in capabilities If physical and virtual machines ≥ KMS activation threshold: Small organization (<100 machines): KMS host = 1 Medium organization (>100 machines): KMS host ≥ 1 Enterprise: KMS host > 1 If physical and virtual machines ≤ KMS activation threshold: MAK (phone or internet) MAK Proxy 3 Notifications Monitoring and Management Tools Volume Activation Management Tool (VAMT): VAMT 1.2 is a part of Windows Automated Installation Kit (AIK) http://go.microsoft.com/fwlink/?LinkId=136976 Determine activation methods by assessing how different groups of computers connect to the network Connected LAN Most common scenario 3 OOT Grace Deployment and Management KMS is the recommended activation method for computers that are well connected to the organization's core network or that have periodic connectivity. MAK activation is the recommended activation method for computers that are offsite with limited connectivity or that cannot connect to the core network, even intermittently. Core 5 Machine 180d Planning for Activation Infrastructure Options 2 Notifications Hardware Change Machine Successfully activated machine 180d OOB Grace Notifications Machine Successful renew at 7d Every renewal restarts 180d 4 6 Fail WGA validation 2 Install KMS Host Key Activate with Microsoft (phone or internet) KMS Install key Install Machine Initial Grace (OOB) 30d Attempt every 2h 7 Activate Install Machine Initial Grace (OOB) 30d (Activated) Activate and validate Machine can be activated at any time online or via phone. Licensed Licensed Machine Successful activation from OOT - Indefinite HW OOT or KMS expires MAK Activate MAK Grace expires Machine Successful activation from OOB – Indefinite Grace expires Install key Install Machine Initial Grace (OOB) 30d Activate MAK Activation Install Machine Initial Grace (OOB) 30d System Center Configuration Manager 2007 R2 Notes SLMGR VBS and SLUI.EXE WMI Interface Event Logs Discovery via AD DS , Workgroup, IP or machine name Proxy Activate one or more machines with Microsoft Cache CIDs and reapply to rebuild/reimage hardware Event Reporting and health monitoring Collect and report activation client data http://technet.microsoft.com/en-us/library/bb680578.aspx All Volume Activation Image Management If policy prevents firewall modification: If physical and virtual machines > KMS activation threshold, use a local KMS host MAK (phone or internet) or MAK Proxy The following process diagram explains how to manage image creation and the Rearm count. Rearm is used to reset the activation timer (back to OOB Grace). 1 The /generalize parameter for Sysprep.exe resets the activation timer, security identifier, and other important parameters. Resetting the activation timer prevents the image’s grace period from expiring before the image is deployed. Each time /generalized is used, the Rearm count is reduced by one. Once a system has a Rearm=0, /generalize may not longer be used to create a reference image. If physical and virtual machines ≥ KMS activation threshold: KMS host = 1 (per isolated network) 2 Isolated Isolated, Lab/Development, or Short Term Use If physical and virtual machines ≤ KMS activation threshold: No activation (rearm) MAK (phone) MAK Proxy (Sneakernet) Roaming Or Disconnected No connectivity to the internet/Core Roaming machines connect periodically at Core or via VPN For clients that connect periodically to Core: Use the KMS host(s) in Core network For clients that never connect to Core or have no internet access: MAK (phone) For air-gapped networks: If physical and virtual machines ≥ KMS activation threshold, Small organization: KMS host = 1 Medium organization: KMS host ≥ 1 Enterprise: KMS host > 1 If physical and virtual machines ≤ KMS activation threshold, MAK or MAK Proxy (Sneakernet) Where the Rearm = 0, activating with KMS will increase the count by 1, thereby allowing /generalize to create a new reference image. 1 Install OS and applications on Reference System Sysprep / generalize Install Update 1 Archive Reference Image (Rearm = 2) Archive Reference Image (Rearm = 2) Install Update 1 Sysprep / generalize Archive Reference Image (Rearm = 1) Sysprep / generalize Archive Reference Image (Rearm = 1) Archive Reference Image (Rearm = 2) Install Update 2 Sysprep / generalize 2 Archive Reference Image (Rearm = 0) Install Update 1& 2 Activate with KMS (Rearm = 1) Install Update 1 Sysprep / generalize Activate with KMS (Rearm = 1) New Reference Image #1 (Rearm = 0) Install Update 2 Sysprep / generalize New Reference Image #2 (Rearm = 0) Sysprep / generalize Archive Reference Image (Rearm = 1) Microsoft Windows Volume Activation Reference Guide More information is available on the Volume Activation Center on TechNet at http://www.technet.com/volumeactivation Publication Date: October 2009 More information is available at TechNet Windows 7 Springboard http://www.microsoft.com/springboard ©2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. The information in this document represents the view of Microsoft on the content. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.