• Microsoft Kms Keys

KMS and MAK Activation Scenarios for Volume Activation. 22 minutes to readIn this articleUpdated: February 23, 2016Applies To: Windows 10, Windows 8.1, Windows Server 2012 R2The following sections describe key scenarios for KMS and MAK activation. On this page.KMS scenariosKMS can support simple, single-site networks and global networks. The following scenarios show:.The default implementation of KMS.The implementation expanded to support a global network.Default KMS implementation for a single-site networkContoso has 100 Windows 7 Enterprise clients and a mixed set of Windows Vista, Windows Server 2008, and Windows Server 2008 R2 systems. Contoso is a flat domain (Contoso.com).

Microsoft Kms Keys

The DNS server runs Microsoft DNS in its default configuration. This configuration supports DNS dynamic update protocol and DNS record scavenging to remove stale records.Contoso purchases a license agreement that provides a KMS key, which will activate all of its systems. The information technology (IT) administrator installs Contoso’s KMS host key (CSVLK) on two KMS hosts running Windows Server 2008 R2 by using the following command run locally at an elevated command prompt: Slmgr.vbs /ipk The IT administrator then creates a Security Group in Active Directory® Domain Services (AD DS) named KMSHosts. The administrator adds the servers KMS1 and KMS2 to the KMSHosts membership.The host KMS1 is activated against Microsoft via the Internet: Slmgr.vbs /ato. KMS1 automatically publishes its SRV resource records (RRs) to DNS. The IT administrator accesses the DNS server, locates the RR for vlmcs.tcp.contoso.com, and changes its permissions to give KMSHosts Read, Write, and Delete permission to the record.

The host KMS2 is now activated against Microsoft via the Internet: Slmgr.vbs /ato.Finally, the administrator confirms that the KMS host exclusion is enabled in Windows Firewall. The Key Management Service firewall exception needs to be enabled.KMS clients on the Contoso network query DNS and receive the SRV records for both KMS hosts. The clients pick one or the other host and are activated (as soon as the KMS count rises above the threshold). See the section, “Activation Policy Values,” for more information about KMS count requirements. KMS implementation in a complex, global networkContoso has expanded into two domains, east.contoso.com and west.contoso.com.

Network traffic can pass privately between the two networks through a firewalled wide area network (WAN) link. This link has limited bandwidth, so resources (including DNS) are replicated on both sides of the WAN link to reduce traffic when possible.Contoso uses image-based deployment. Its client systems are standardized on Windows Vista, but the Windows Vista systems are being replaced by Windows 7 clients.Users regularly travel geographically, and their network connection changes from one domain to the other. Clients’ IP addressing is provided dynamically by DHCP, including specifying the local DNS host, local gateway address, and so on.To provide activation support for the existing Windows Vista clients and the new Windows 7 clients, Contoso installs four KMS hosts (using its KMS B key). Two KMS hosts are configured in east.contoso.com, and two are configured in west.contoso.com.The IT administrator configures the KMS hosts so that the DNS SRV records drive Windows 7 and Windows Server 2008 R2 clients in the east domain to KMSE1, if available, or to KMSE2. If neither is available, the clients will attempt KMSW1 and, finally, KMSW2. Likewise, DNS in the west domain is configured so that Windows 7 clients in the west domain will prefer contacting KMSW1, then KMSW2 and only when these fail will attempt activation with KMSE1 and KMSE2 on the far side of the WAN link.The IT administrator accomplishes this by making the following configuration changes (see Table 5):.KMSE.

hosts are added to the security group KMSE. This group is given Read, Write, and Delete rights to the record vlmcs.tcp.east.contoso.com.KMSW. hosts are added to the security group KMSW.

This group is given Read, Write, and Delete rights to the record vlmcs.tcp.west.contoso.com.DHCP servers are configured to add east.contoso.com and west.contoso.com to the DNS suffix search list for all clients.Firewalls between east and west domains are configured to allow RPC traffic to the KMS hosts on port 1688.Table 5. KMS Host ConfigurationDescriptionConfigurationHostConfigure east.contoso.com SRV priority and weight so that clients will contact KMSE. hosts if available before trying KMSW. hosts. Traffic will be divided: 75% to the KMS.1 hosts and 25% to the KMS.2 hosts.HKEYLOCALMACHINESOFTWAREMicrosoftWindows NTCurrentVersionSoftwareProtectionPlatform DnsDomainPublishList=KMSE1, 10, 75KMSE2, 10, 25KMSW1, 90, 75KMSW2, 90, 25KMSE1KMSE2Configure west.contoso.com SRV priority and weight so that clients will contact KMSW. hosts if available before trying KMSE.

hosts. Traffic will be divided: 75% to the KMS.1 hosts and 25% to the KMS.2 hosts.HKEYLOCALMACHINESOFTWAREMicrosoftWindows NTCurrentVersionSoftwareProtectionPlatform DnsDomainPublishList=KMSW1, 10, 75KMSW2, 10, 25KMSE1, 90, 75KMSE2, 90, 25KMSW1KMSW2Then, the administrator confirms that the Windows Firewall exceptions are set to allow KMS client traffic and configures client computers, as Table 6 describes.Table 6. KMS Client ConfigurationDescriptionConfigurationDisable KMS host cachingSlmgr /ckhcA customer URL is set to direct users with activation issues to the Contoso help deskHKEYLOCALMACHINESOFTWAREMicrosoftWindows NTCurrentVersionSoftwareProtectionPlatformActivationAlternateURL = client reference computer is KMS activated, then sysprep /generalize is run. The system is shut down and imaged using ImageX from the Windows 7 Windows Automated Installation Kit (Windows AIK). The Windows AIK is available to download at. MAK scenariosThe following sections describe scenarios for MAK activation.

This section involves network and workgroup environments that are typical within large enterprises.In the Core Network environment, all computers are within a common network managed by AD DS. The Secure Zone represents higher-security Core Network computers that have addition firewall protection.The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. MAK independent activationThe VAMT allows automation of MAK deployment and activation over the network by distributing MAKs from a centralized console. VAMT queries Microsoft activation servers to get the number of remaining activations for a given MAK, then lists the activation status of all MAK-activated systems in the environment.

This count is a snapshot in time, not a real-time count. VAMT version 3.1 is included in the Windows ADK. For more information about VAMT, see, andIn this scenario, the VAMT is deployed in the Core Network environment. The VAMT is installed on a central computer with network access to all client computers. Both the VAMT host and client computers have Internet access. The following instructions describe how to perform independent activation:.Install and launch the VAMT on a networked host computer:.Install the Windows ADK on the host computer.Click Start, and then click VAMT to open the VAMT console.Configure the Windows Management Instrumentation (WMI) firewall exception on target computers.

Ensure that the WMI firewall exception has been enabled for all target computers.Add computers to the computer information list (CIL):.On the VAMT console, click Action, and then click Add Computers to display the Add Computers dialog box.Enter a Computer Group name such as Core Network Group to identify the group of computers you are activating.Click the drop-down list to select a search option. You can search for computers in a workgroup, in an AD DS domain, or by individual computer name or IP address.If you are searching by individual computer name or IP address, enter that information in the text box below the drop-down list.If you are searching a domain or a workgroup, select the domain or workgroup from the additional drop-down list displayed for those options.

Use the Filter by computer name field to search for a specific computer within the domain or workgroup.Click OK.The VAMT queries Active Directory Domain Services (AD DS) via Lightweight Directory Access Protocol (LDAP) and adds the computers it finds to the CIL.Collect status information from the discovered computers:.For the VAMT to perform an action on a computer, it must have current license status data for that computer. Collect status from individual computers by directly selecting one or more computers in the computer list view pane.

NoteTo retrieve the licensing status on the selected computers, the VAMT must have administrative permissions on the remote computers, and WMI must be accessible through Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information about configuring systems for VAMT remote management, see the VAMT help.Add a MAK, and determine its remaining activation count:.Click Options, and then click Manage MAKs to open the Manage MAK Keys dialog box.Click Add to enter a MAK.Enter the MAK, and then click Validate.Once validated, the Edition field is automatically populated.Provide a meaningful description, and then click Add.The MAK is now listed in the Manage MAK Keys dialog box.Click Refresh remaining count to retrieve the number of remaining activations for the listed MAKs from Microsoft. NoteFor the VAMT to discover client computers in a workgroup, the network discovery Windows Firewall exception must be enabled.Collect status from the discovered computers:.For the VAMT to perform an action on a computer, it must have current license status data for that computer. Collect status from individual computers by directly selecting one or more computers in the computer list view pane. To perform operations for an entire group, in the left pane, select the Status Unknown node or the User Defined GroupsIsolated Lab Group node.Right-click the group or the desired computers, and then click Refresh Computer Status.If you are activating computers that require administrator credentials different from the those you are currently using, select Use Alternate Credentials.Click OK.

When prompted, provide the credentials for an account that has local administrative rights on the selected workgroup computers.The VAMT displays the Collecting computer information dialog box while it collects the status of all selected computers. When the process is finished, the refreshed status of each computer appears in the computer list view pane of the VAMT console. NoteTo retrieve the licensing status on the selected computers, the VAMT must have administrative permissions on the remote computers, and WMI must be accessible through Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under UAC.Add a MAK:.Click Options, and then click Manage MAKs to open the Manage MAK Keys dialog box.Click Add to enter a MAK.Enter the MAK, and then click Validate.Once validated, the Edition field is automatically populated.Provide a meaningful description, and then click Add.The MAK is now be listed in the Manage MAK Keys dialog box.Click Exit to close the dialog box. NoteBecause the VAMT is not installed on a computer with Internet access, the Refresh Remaining Count option will not operate. This feature requires Internet access.Install the MAK on the Isolated Lab computers:.Select the Isolated Lab group in the tree view pane.Right-click the selected group, and then click MAK Proxy Activate to display the MAK Proxy Activate dialog box.Select the appropriate MAK from the Install MAK list.Select Install MAK (overwrite existing).If an asterisk (.) appears next to the text for this checkbox, the action will apply only to applicable computers.

For example, a computer installed with a Windows Vista retail edition cannot be activated using a MAK.Clear the Get Confirmation ID from Microsoft check box, because this computer does not have Internet access.Clear the Apply Confirmation ID and Activate check box, because confirmation IDs (CIDs) have not yet been requested.If you are activating computers that require administrator credentials different from the those you are currently using, select Use Alternate Credentials, and then click OK.VAMT displays the Assigning Product Keys dialog box until it completes the requested action. If you selected Use Alternate Credentials, you will be prompted to enter the credentials prior to this dialog box. NoteSelecting the Install MAK (overwrite existing) check box force-installs a MAK on a client computer.

This must be done with care. If the pre-SP1 version of Windows Vista has been installed on the computer for more than 30 days, then its Initial Grace period has expired, and the computer will enter Reduced Functionality Mode (RFM) if activation is not completed successfully before the next logon.

However, you can use MAK proxy activation to recover properly configured computers from RFM as long as the computers are accessible to the VAMT host. RFM only applies to the pre-SP1 version of Windows Vista. Windows Vista with SP1 or later, Windows 7, Windows Server 2008, or Windows Server 2008 R2 will not enter RFM.Save the CIL:In this step, the full CIL is saved on the local (that is, workgroup) VAMT host. NoteSelecting the Exclude any sensitive environment data check box excludes Personally Identifiable Information (PII) from being saved in the CIL. ImportantSaving this file is critical for reimaging scenarios. NoteSelecting the Install MAK (overwrite existing) check box force-installs a MAK.

This must be done with care. If the pre-SP1 version of Windows Vista has been installed for more than 30 days, then its Initial Grace period has expired and it will enter RFM if activation is not completed successfully before the next logon. VAMT can be used to recover properly configured remote computers from RFM as long as they are accessible on the network.

RFM only applies to the pre-SP1 version of Windows Vista. Windows Vista with SP1 or later, Windows 7, Windows Server 2008, and Windows Server 2008 R2 will not enter RFM.VAMT support for KMS activationIn this scenario, the VAMT is used to install and activate KMS client keys on either Core Network or Isolated Lab computers. The procedure described below assumes that the VAMT has been installed and the computers have been added to the CIL. NoteThe MAK is stored in clear text in the Unattend.xml file. During an unattended installation, the file Unattend.xml or AutoUnattend.xml is copied to the%SystemRoot%Panther folder of the target computer.