General activation concepts

Today’s blog posting is based on documentation written for our activation specialists to answer some of the most common questions for customers that are new to our current activation technologies. Depending on the size of your organization and your familiarity with our current technologies, activation can be a very simple or complex discussion. These are some common starting points that we wanted to share to help get you started.

Discussing Volume Activation in a Conversation (Introduction)

 

Q: What is KMS?

A: KMS stands for Key Management Service and is one of two types of volume license activation methods available for our current operating systems. With this design, you will choose 1 or more machines to activate all of your other machines. Once the chosen machine(s) activate with Microsoft’s licensing servers, they are automatically turned into KMS Hosts. KMS is slightly different in that the KMS host always remains activated after it talks with the Microsoft licensing servers. Once activated, the KMS host does not connect back to Microsoft again. However, any machines that activate with the KMS host will only get 180 days at a time. We refer to these machines as KMS clients. But, don’t worry because all of the KMS clients will regularly contact the KMS host and ask for more time, so they won’t go into notification mode.

 

Q: What is MAK?

A: MAK stands for Multiple Activation Key and is the second of two types of volume license activation methods available for our current operating systems. MAK allows you to use a single key on multiple machines. Each of these machines activates with Microsoft’s licensing servers individually and are then licensed for the full lifecycle of the machine.

Note – Windows 7 Ultimate is not a volume licensed product, so you don’t want to confuse multiple activations for Ultimate with a MAK

Q: What do you consider your ‘current operating systems’

A: This term is loosely used to describe operating systems based on the same architecture. In this case, we’re referring to Windows Vista, Windows Server 2008, Windows 7 and Windows 2008 R2. These are the only operating systems that are capable of using MAK and KMS based activation at this time.

 

Q: How do I know what I have available to me?

A: MAK and KMS keys are issues based on your volume license agreement with Microsoft. Depending on the SKUs (editions) of Windows that you have licenses for, you may have several keys available to you. To see what keys have been issued, log into your account on Microsoft’s Volume Licensing website (https://www.microsoft.com/licensing/existing-customers/manage-my-agreements.aspx). Once logged in, you will see a table of product keys available. Make note of the column that shows if a particular key is MAK or KMS.

 

Note - If a key says KMS, it is a KMS host key and not a KMS client key. This is not the key used to activate your KMS clients!!

 

Q: I see both keys on the volume website, so I guess I have both options. Now what?

A: Now you need to get a count of the machines that you have available. In order to use KMS, you must have at least 5 servers running a current operating system or a total of 25 servers and clients running current operating systems. If you don’t have that many machines, the answer is pretty easy – use MAK. If you do, then we need to talk about your environment some more.

 

Discussing Volume Activation in a Conversation – Common Questions (MAK)

 

Q: I don’t have enough machines to use KMS, so I’ll use MAK. What do I do now?

A: Once you have installed your machines, they will automatically think they’re KMS clients. This is because Microsoft has included KMS client keys by default in volume license media. So, if you’re going to use your MAK, you need to type it in and activate the machine. You can do this via the GUI or via a command line. We also have tools to do this in bulk such as VAMT (Volume Activation Management Tool). If you are deploying an image, you can include the key in the image as well, but now we’re starting to get away from the subject.

 

Q: What is required to activate MAK?

A: All you need is an internet connection and your MAK key. From there, you can either use the GUI or command line to activate the machine. You need to make sure you’re using the right MAK or it won’t work. For example, your Windows Vista key won’t work with a Windows 7 machine. If you get an error that the product key is invalid, check to make sure you’re running a compatible OS and then check your VLSC site to determine if you have the correct key. You can go to start and type “winver” in the search to show what version you have.

 

To use the GUI, go to the control panel, click on ‘System and Security’ and then ‘System’. This will open the system dialog box. Look at the bottom and you’ll see “Windows activation”. Click on the blue highlighted text “Change product key”. This will open the Windows Activation wizard which will guide you through changing your key and activating over the internet:

 

clip_image001

 

If you want to use the command line, it’s just as easy. Open an elevated command prompt and type these two commands. Wait for confirmation in between running each command:

 

slmgr /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

slmgr /ato

 

The first command is used to install the MAK onto the machine. Once installed, the second command will tell the machine to connect to Microsoft’s servers and activate the machine.

 

If everything says successful, you’re done. The machine is now fully activated.

 

 

Discussing Volume Activation in a Conversation – Common Questions (KMS)

 

Q: I’d like to implement a KMS design. What do I need to have?

A: This can be a tricky question because KMS has default settings which will work for 99% of customers, but can also be customized for very specific purposes. We’ll focus on the defaults in this section. The first thing you need to implement KMS is a machine that will be designated the KMS host. You’ll want to choose a machine that is readily accessible by all of your clients and has reasonably high uptime. Most companies choose to use a domain controller or a management/reporting server for their KMS host. KMS requires very little resources and is generally has no noticeable impact on performance.

 

Once you’ve designated your KMS host, you’ll need to activate it with Microsoft. The steps to activate the KMS host are the same as those for activating a MAK. You can use the GUI or command line. If necessary, you can also use phone based activation if you don’t have an internet connection. As with MAK, your KMS key(s) will be listed on your VLSC web site. You may notice that you have several keys to choose from depending on your sales agreement.

 

Once the KMS host activates successfully, it will create an SRV (service) record in your DNS server so that the KMS clients will know how to find it. From there, the KMS host sits and waits until the KMS clients start to request activation. You can force the KMS clients to activate manually or wait a few hours and it should start happening automatically.

 

During the time period where the first clients are communicating with the KMS host, you will receive a response from the KMS host saying “insufficient client count”. This will occur until enough KMS clients have tried to activate. If you’ll recall from above, you need at least 5 servers or a combination of 25 servers and clients before a KMS host will begin to activate KMS clients successfully.

 

Q: How to I choose which KMS key I want to use?

A: Don’t forget that we mentioned earlier that the KMS key on your VLSC site is only to be used on the KMS host. You don’t use it for all of the other machines. This is a common mistake, so you want to make sure only a few people have access to them. Don’t share the KMS key with anyone other than the administrator that is in charge of the KMS host. You only need 1 KMS key per KMS host at any time for Windows.

 

The way you choose the KMS key is by determining what versions of the OS you’re going to want to activate. KMS keys are built on a hierarchy, meaning that some keys can activate a lot of different versions of the OS and others and only activate 1 or 2. The primary point to remember here is that the higher level the key is, the more it can activate. For example, a Windows 7 key can also activate Windows Vista. In the same context, a Server Group key can activate a client and multiple SKUs of the server operating systems depending on its level. The highest possible key at the time of this writing is a Window Server 2008 R2 Server Group C key. It will activate every edition of the OS we have.

 

Here’s a quick chart to help:

 

clip_image003

 

 

Discussing Volume Activation in a Conversation – Additional Topics

 

Q: Does Microsoft monitor all activations? ie – is activation now the same as software metering?

A: It depends on the type of activation you’re using. With MAK activation, each machine contacts a Microsoft licensing server individually, so each time a new machine activates, we deduct 1 count from your MAK. Each MAK that you own is tied to a specific count of machines based on what you purchased. If you think there has been a problem where you activated too many machines, you need to contact Microsoft support and speak with a licensing specialist who can assist you with the process.

 

With KMS activation, Microsoft places the majority of the infrastructure in your hands. Microsoft only keeps a count of the number of KMS hosts that you’ve activated, but does not gather information on the number of machines those KMS hosts have activated themselves. Each KMS host that you configure also doesn’t keep track of a full history of the machines it’s activated. The KMS host will also only keep a maximum history of the last 50 KMS clients as well. This means that you shouldn’t rely on your KMS host to keep track of all the machines you’ve activated for licensing purposes. You also need to make sure that you take measures to prevent your KMS keys from accidently getting in the wrong hands or exposing your KMS host to the internet. Microsoft’s intention with providing a KMS solution is not to be a big brother, but instead to give you the ability to run your business without having to expend a significant amount of time on activation. In general, KMS is a “set it, forget it” system once you’ve got it set up for your environment. If you accidently use your KMS key on multiple machines and need to get a new one or reset it, contact Microsoft support and speak with a licensing specialist who can assist you with the process..

 

To put it more simply, volume activation is not equivalent to software metering. You are still responsible for making sure that you are compliant with your licenses. Don’t rely on your MAK count or KMS server event logs to determine how many licenses you have used.

 

Q: How does KMS know what machines to activate? How do I make sure I don’t accidently activate the wrong machines?

A: KMS is purely a network based service. Think of it more like DHCP than Active Directory. It has no built in security boundary, so you must take precautions to prevent unknown machines from being able to find it. By default, KMS clients will automatically seek out a KMS host. They do this by querying their DNS server for a specific type of SRV record. If they find that SRV record, they’ll go straight over to the KMS host and ask to be activated. This means that you want to make sure that either you’ve secured your DNS server so that internal addresses cannot be resolved or that you’ve secured your network. The most effective way to make sure that only machines you own can contact the KMS host is to implement IPSec (https://technet.microsoft.com/en-us/network/bb531150.aspx) in your environment. By using IPSec to secure communications between all of the servers and clients in your network, unknown machines won’t be able to reach them even if you accidently expose the record.

 

An alternative method is to prevent the KMS host from automatically creating its SRV record and then configuring each of the KMS clients with static information on the KMS host location. However, this would cause a great deal of overhead and doesn’t actually secure the KMS host. It would still respond if someone were to know where it was.

 

Kevin Ledman

Senior Support Escalation Engineer

Microsoft Enterprise Platforms Support