Feb 10, 2010

ToolboxSwitching operating systems can be an adventure at the best of times. Hardware requirements, user training, and training of support staff are usually top-of-mind during planning. Switching to Windows 7 from Windows XP introduces still more twists, including a new license activation process and new decisions for administrators.

In Windows XP, volume licensed versions of the operating system did not require activation, just a valid license key. However, Windows 7 must be activated by Microsoft within 30 days of first use, just as individually-purchased retail instances of its operating systems have been for many years. Furthermore, in most cases they also must be revalidated at regular intervals. I won’t bore you with the rationale behind this; you can find it explained in great detail on the Microsoft website). Suffice it to say that this process is becoming pervasive in Microsoft (and other vendors’) products. Users will even have to validate Office 2010 — a first for that application suite.

As a volume licensing customer, you have a couple of choices of activation methodology. Every computer does not necessarily need to connect to Microsoft’s authentication servers to activate, and one size definitely does not fit all.

Here are your choices, and an overview of how it all works.

Microsoft offers two activation methods for customers with volume agreements: Key Management Server (KMS) and Multiple Activation Key (MAK). Microsoft’s default method, and the one it recommends, is KMS, but there are conditions to fulfill before KMS works.

First, you need, yes, a server. Microsoft says the KMS application is sufficiently lightweight to coexist with other services; it does not need a dedicated system. It  actually runs on a workstation, but can only activate client OSes in that case. If the network environment has Dynamic Domain Name System (DDNS) and allows computers to publish services automatically, deploying a KMS host can be straightforward, although the admin needs to open a new TCP port (1688) on the firewall if not using the Windows Firewall (it has a configurable KMS exception available).

Next, you need 25 or more Windows 7 volume licensed clients with a Windows marker in the BIOS (ask your OEM if in doubt) or five or more Windows Server 2008 R2 servers. KMS doesn’t even try to activate a single computer until those thresholds are reached. Both physical and virtual machines count towards the threshold.

Clients use anonymous RPCs to commune with the KMS server sending a single request packet. The server responds with the count of machines requesting activation so far. If that count meets or exceeds the threshold for the client OS, activation occurs. If not, the client queries the server every two hours until it’s activated.

Activation is valid for 180 days, then the client goes through the process again. If the PC (or server) can’t phone home, Houston, you have a problem, and you might need to consider MAK activation. You may also have a challenge if sufficient hardware is changed at one time to make the activated system appear to be a different machine. That will require reactivation, perhaps even a call to convince Microsoft that it is, indeed, the same computer you licensed.

MAK was designed for computers that aren’t continuously connected to a network, or for organizations whose computer count doesn’t meet the KMS thresholds. As its name suggests, it’s a license key that may be used a specific number of times to activate Windows 7 or Server 2008 R2 machines through Microsoft’s hosted activation servers. The MAK count is based on (but does not exactly equal) the customer’s volume license. Unlike KMS activations, MAK activations do not expire.

MAK activations can occur in one of two ways: Each computer can directly connect to Microsoft, or a MAK Proxy can submit requests for multiple machines. The Volume Activation Management Tool (VAMT) lets administrators configure how the activation requests are accumulated and sent, receives and distributes activation codes from Microsoft, and caches the codes so a re-imaged machine can be automatically re-activated. VAMT also enables migrations between MAK and KMS activation.

Totally disconnected computers aren’t hung out to dry, however. Administrators can perform MAK activations over the phone. And for isolated, high-security networks with sufficient computers, Microsoft recommends using a KMS, itself activated by phone, to securely activate machines within that network. Failing that, a local VAMT server can discover the computers using AD DS, computer name, IP address, or membership in a workgroup. It can then use Windows Management Instrumentation (WMI) to install MAK product keys and CIDs and to retrieve status on MAK clients.

For test, development, and lab environments, even Microsoft realizes that activation may be an expensive exercise in futility, since systems are regularly built and rebuilt. In these cases, it recommends that, if the machine is to be rebuilt within 120 days (the 30 day grace period can be reset three times without activating), you don’t bother activating.

Microsoft’s TechNet offers a ton of resources and tools to help you manage your Windows 7 volume activation as painlessly as possible.

Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!

Want more like this? Sign up for the weekly IT Expert Voice Newsletter so you don't miss a thing!


FM IT Expert Voice is a partnership between Dell and Federated Media. Privacy Statement