Executive Summary:
Microsoft’s original volume licensing technology used Volume License Keys (VLKs), which could activate an unlimited number of systems. This method created various security and administrative problems. Microsoft Windows Server 2008’s new Volume Activation 2.0 (VA2) uses Multiple Activation Keys (MAKs) or Key Management Service (KMS) hosts to activate systems in medium and large organizations.
|
Editor's Note:
Following the release of Windows Server 2008, Microsoft provided the following update to this article.
"We thank you for featuring Volume Activation 2.0 in March issue of Windows IT Pro. The article offers a candid view on the activation technology manifested in Windows Vista and Windows Server 2008 and how IT pros should approach it while deploying Windows Vista and/or Windows Server 2008. There are few errors in the article such as when the KMS client fails to renew with KMS host past the 180 days leads to unusable until they reactivate is not true. In such scenarios the resulting experience is notification and not any sort of limited use of the previously activated system. Additional changes we want your reader to take note of includes the initial grace period for Windows Server 2008 is 60 days, the default port for KMS location discovery is 1688, KMS activation threshold is cumulative between Windows Vista and Windows Server 2008, and reactivating the system that has been previously activated using MAK key is possible and it results in 'number of activations used' incremented by one. We would like to highlight to your readers that there is an updated set of prescriptive guidance available at www.microsoft.com/technet/volumeactivation." |
If you plan to deploy business versions of Windows Vista or any version of Windows Server
2008—which you’ll do eventually—you need to understand Volume Activation. A VA
infrastructure is necessary for companies with more than a few hundred Vista or Server
2008 systems. Without this infrastructure, every volume-licensed build of these systems
will eventually fail. In this article I define VA, explain how it works, and offer straightforward
recommendations for deploying it in common situations.
Volume Activation Overview
Volume Activation 2.0 (VA2) is a major rework of Microsoft’s original volume licensing technology.
In volume licensing, one Volume License Key (VLK) was used to activate an unlimited
number of systems. This method required strong security
to ensure the VLK was never compromised; if a key was
“leaked” and became available on the Internet, Microsoft
had to deactivate the key, and all the systems that used the
key had to be rekeyed. VA2 avoids this problem by requiring
every Vista or Server 2008 build that’s configured for
volume licensing to activate with Microsoft, either directly
or by proxy.
In VA2, volume builds of the OS use one of two activation
methods: Multiple Activation Key (MAK) or Key Management
Service (KMS). A MAK is similar to a VLK, but
it has some important differences. A MAK has a limited
number of activations associated with it, whereas a VLK is
unlimited. Every activation instance that uses a MAK must
verify with Microsoft; no verification is necessary with the
VLK method. KMS is a client/server system that activates
multiple clients without requiring any action from the system’s users. Unlike in a MAK activation, a
system that uses KMS doesn’t have to contact
Microsoft individually. Rather, the KMS hosts
themselves activate the license with Microsoft
on the client’s behalf. Microsoft expects
that medium and large organizations that
use VA will use KMS to activate most of their
systems.
Before we delve into KMS and MAK
activation in detail, let’s look at the five possible
license states for VA clients. (Note that
only the first state requires no action.) The
first and most common state is Licensed, in
which the client is activated and functioning
normally. Next is Initial Grace or Out-Of-Box
Grace; this period occurs after the VA client is
first installed. Out-of-Tolerance Grace occurs
when hardware changes on an activated
system push the system beyond a tolerance
level. Non-Genuine Grace occurs when a system
that has the Windows Genuine Advantage
(WGA) ActiveX control installed fails
Genuine Activation. All of these license states
have a grace period of 30 days. Finally, Unlicensed
occurs when any of the grace periods
expire. In the Unlicensed state, a system runs
in reduced functionality mode (RFM).
Note that the Unlicensed state behavior is
different in Vista SP1. If you’re using a system
that hasn’t been activated and gone through
the 30-day activation grace period, when you
log on to the system on the 31st day, you’ll see
a dialog box on a plain black background.
You’ll have two options: Activate Windows
now, which will bring up all the options to do
so; or activate Windows later, which will take
you directly to the desktop. Your desktop will
appear as before, except you’ll have a plain
black background and a message in the lower
right corner over the system tray telling you
that your copy of Windows isn’t genuine.
Key Management Service
Architecture
The KMS VA system consists of one or more
KMS hosts (servers) that activate clients
configured to use KMS. These clients locate
a KMS host by one of several methods and
request the host to activate them. The KMS
host uses a special KMS key to activate with
Microsoft, then acts as a proxy to activate its
own clients; the clients don’t need to contact
Microsoft to activate. A host can activate
an unlimited number of clients. As a result,
Microsoft generally provides only one KMS
key for an organization. Microsoft designed the KMS system to be highly scalable so it
requires a minimum of KMS hosts.
KMS-configured systems must renew
with the KMS host on a regular basis, otherwise
they’ll eventually fall into the Unlicensed
state and essentially be unusable until they
reactivate with a KMS host. The reason such
a critical piece of Microsoft infrastructure
requires so few servers is that the Software
Licensing Service has very loose requirements
compared with other services. When
a KMS client is first built (either a Vista client
or a Server 2008 server), it has 30 days to
activate. This initial grace period can be reset
three times. During this period, the client tries
every two hours to activate. After the client
successfully activates, it attempts to contact
a KMS host once every seven days by default
to renew its activation another six months.
Each client has a six-month countdown
timer that resets whenever the client renews
with a KMS host; if the client can’t renew for
some reason, the timer keeps counting down,
attempting again every week, until the client
either renews or falls into the Unlicensed
state. So a client attempts to reach a KMS host
approximately 25 times. Also, the 15-second
Time to Live (TTL) value of each KMS request
is extremely long by other services’ standards
and the data exchange is quite small, so the
network proximity of the KMS host to the
clients isn’t especially important.
KMS Installation
KMS can be installed on Server 2008, Windows
Vista, or Windows Server 2003 SP1. It’s
available on both x86 and x64 architectures
for all platforms. No extra software is necessary
for Server 2008 or Vista, but to run
KMS on Windows 2003, go to the Microsoft
downloads Web site (www.microsoft.com/
downloads), search for “KMS on W2K3 SP1,”
then download and install either KMSW2K3_
EN-US_x86.zip or KMSW2K3_EN-US_x64
.zip. Both the KMS host and KMS client are
part of Microsoft’s Software Licensing Service
(slsvc.exe)—but KMS on a Windows 2003
server is referred to as the Software Protection
Platform service.
Although KMS is available on Vista, I don’t
recommend this configuration. Instead, I
suggest that you use a KMS host on a server
OS. Such a critical infrastructure service
should be installed on an existing server or
added as a regular production server.
The main utility to control a KMS host is a straightforward script, slmgr.vbs, which is
located in the \system32 folder of volume
license versions of Server 2008 and Vista. The
most common switches you’ll use are
- -ipk—Install product key
- -ato—Activate
- -dli—Display license information
- -xpr—Expiration date for current license
state
- -skms—Direct connection (vs. autodiscovery)
The first step in installing a KMS host is
to install a volume license version of the OS.
A volume license OS version won’t prompt
you to provide a license key when you build
it. When the installation is complete, use the
following command to install the KMS key
provided by Microsoft:
SLMGR.VBS -ipk
Continue on Page 2
Previous
Register
