Windows Server Activation Best Practices

UPD: Updated with the information for Windows Server 2016.

Windows Server automatic activation is very important for IaaS services. Today I'll share some best practices for Windows Server activation in Service Provider environments. These practices also can be used for Enterprise environments. And of course they can be and must be used for Cloud OS Network Platform :)

I'll use KMS and AVMA activation methods. Enterprises can also leverage Active Directory Based Activation (automatic activation of OS after joining the properly configured domain), but it is not suitable for service provider environments because tenant VMs won't join the domain of service provider.

Install KMS Servers

KMS server is a core of your Windows Server activation process. So go to VLSC site and get Windows Server 2016 Datacenter KMS C key. A good explanation why you should use Level-C key is available here. Then create a VM and install Windows Server 2016 Datacenter on it. Configure KMS server using these commands:

slmgr.vbs /ipk <yourproductkey>
slmgr.vbs /ato

Such KMS server will be able to activate Windows Server 2016 and prior versions (2003, 2008, 2012) with Datacenter, Standard of Enterprise (for Windows Server 2008) editions. For high availability, you can install additional KMS server and configure DNS-based load balancing. Windows Server 2012 R2-based KMS server won't be able to activate Windows Server 2016.

Activate Hyper-V hosts

To leverage AVMA, you need to use Windows Server 2016 or 2012 R2 Datacenter on Hyper-V hosts and Windows Server 2016 or 2012 R2 Standard/Datacenter on guest VMs. If you are using Free Hyper-V Server edition, Windows Server 2016/2012R2 Standard or Windows Server 2012 nonR2 - AVMA won't work. If you are not familiar with AVMA - it is a new way to activate Windows Server-based VMs, introduced in Windows Server 2012 R2. It's idea is simple - if Hyper-V hosts is activated, then every new Guest VM will be activated automatically. No need to configure network access to KMS server or to the internet for MAK activation. It is the best approach for service providers.

So, after the KMS servers were deployed, activate Hyper-V hosts using KMS activation.

For Windows Server 2012 R2 Datacenter use this command:
slmgr.vbs /ipk W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
slmgr.vbs /ato

For Windows Server 2016 Datacenter use this command:
slmgr.vbs /ipk CB7KF-BWN84-R7R2Y-793K2-8XDDG
slmgr.vbs /ato

I've got this key from here. You can use this key during Windows Server Datacenter installation to skip the manual activation step.

Hyper-V hosts will try to find a KMS server in the domain, where it is joined to. If you have a separate domain for Hyper-V hosts, that is different from the domain that KMS server was deployed to, use this command to manually specify the address of KMS server before /ato command:

slmgr.vbs /skms <KMSserverDNSnameOrIPAdress>

Configure Guest VMs activation with AVMA

If you are using Windows Server 2012 R2 Datacenter Hyper-V on hosts, you can use AVMA to activate Guest VMs with Windows Server 2012 R2 Datacenter. To leverage this, just use this key in your VM templates or during the OS installation:

Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW - for Windows Server 2012 R2 Datacenter
DBGBW-NPF86-BJVTX-K3WKJ-MTB6V - for Windows Server 2012 R2 Standard

CB7KF-BWN84-R7R2Y-793K2-8XDDG - for Windows Server 2016 Datacenter
WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY - for Windows Server 2016 Standard

I've got these keys from here.

Configure Guest VMs activation with KMS

For Windows Server versions prior to 2012 R2, you'll need to use traditional KMS activation method. The same story if you are using vSphere or other hypervisor (not Windows Server 2012R2/2016 Datacenter Hyper-V).

The potential problem for service providers is that Guest OS needs access to KMS server every 180 days at least to prolong the activation, otherwise it will deactivate. And in modern IaaS services, tenants manage their virtual networks by themselves. One of the ways to achieve this is to deploy KMS Server in the DMZ and make it accessible for tenant VMs. Be sure that KMS server is not accessible externally for other users in the internet. By default, KMS server uses TCP port 1688.

When preparing a Windows Server template, run the following command before Sysprep:

slmgr.vbs /skms <KMSserverDNSnameOrIPAdress>

Remember - you don't know which DNS server your tenant will use, so if you specify a DNS name of KMS server - be sure that it is resolvable by public DNS servers. Otherwise specify IP address of KMS server to be sure that tenant VM will be able to connect. After that, use KMS keys for your templates from this page. As an example:

74YFP-3QFB3-KQT8W-PMXWJ-7M648 - for Windows Server 2008 R2 Datacenter
48HP8-DN98B-MYWDG-T2DCC-8W83P - Windows Server 2012 nonR2 Datacenter

New guest VMs will try to connect to the specified KMS server and activate using it shortly after the deployment.

That's all about Windows Server activation for service providers. Remember - if you license your hosts with Windows Server Datacenter license (which allows unlimited guest virtualization), then there is absolutely no need to install Windows Server Standard on Guest VMs.