Windows 7 : Using Volume Activation (part 2) - Volume Activation Scenarios

5. Volume Activation Scenarios

Each Volume Activation method is best suited to a particular network configuration. To select the best activation method or methods for the organization, assess the network environment to identify how different groups of computers connect to the network. Connectivity to the corporate network, Internet access, and the number of computers that regularly connect to the corporate network are some of the important characteristics to identify. Most mediumsized to large organizations use a combination of activation methods because of the varied ways their client computers connect to their networks.

KMS is the recommended activation method for computers that are well connected to the organization's core network or that have periodic connectivity, such as computers that are offsite. MAK activation is the recommended activation method for computers that are offsite with limited connectivity or that cannot connect to the core network because of security restrictions. These include computers in lab and development environments that are isolated from the core network.

Table 1 lists common network configurations and the best practice recommendations for each type. Each solution factors in the number of computers and network connectivity of the activation clients.

The following sections describe examples of Volume Activation solutions in heterogeneous corporate environments that require more than one activation method. Each scenario has a recommended activation solution, but some environments may have infrastructure or policy requirements that are best suited to a different solution.

5.1. Core Network

A centralized KMS solution is recommended for computers on the core network. This solution is for networks that have well-connected computers on multiple network segments that also have a connection to the Internet. Figure 1 shows a core network with a KMS host. The KMS host publishes the KMS using DDNS. KMS clients query DNS for KMS SRV RRs and activate themselves after contacting the KMS host. The KMS host is activated directly through the Internet.

Note:

A KMS host can be installed on a VM, but select a VM that is unlikely to be moved to a different host computer. If the virtual KMS host is moved to a different host computer, the operating system detects the change in the underlying hardware and the KMS host must reactivate with Microsoft. KMS hosts can activate with Microsoft up to nine times.

5.2. Isolated Networks

Many organizations have networks that are separated into multiple security zones. Some networks have a high-security zone that is isolated because it has sensitive information, whereas other networks are separated from the core network because they are in a different physical location (branch office locations).

5.2.1. High-Security Zone

High-security zones are network segments separated by a firewall that limits communication to and from other network segments. If the computers in a high-security zone are allowed access to the core network by allowing TCP port 1688 outbound from the high-security zone and an RPC reply inbound, activate computers in the high-security zone by using KMS hosts located in the core network. This way, the number of client computers in the high-security network does not have to meet any KMS activation threshold.

If these firewall exceptions are not authorized and the number of total computers in the high-security zone is sufficient to meet KMS activation thresholds, add a local KMS host to the high-security zone. Then, activate the KMS host in the high-security zone by telephone.

Figure 2 shows an environment with a corporate security policy that does not allow traffic between computers in the high-security zone and the core network. Because the high-security zone has enough computers to meet the KMS activation threshold, the high-security zone has its own local KMS host. The KMS host itself is activated by telephone.

If KMS is not appropriate because there are only a few computers in the high-security zone, MAK Independent activation is recommended. Each computer can be activated independently with Microsoft by telephone.

MAK Proxy activation using VAMT is also possible in this scenario. VAMT can discover client computers by using AD DS, computer name, IP address, or membership in a workgroup. VAMT uses WMI to install MAK product keys and CIDs and to retrieve status on MAK clients. Because this traffic is not allowed through the firewall, there must be a local VAMT host in the high-security zone and another VAMT host in another zone that has Internet access.

5.2.2. Branch Office Locations

Figure 3 shows an enterprise network that supports client computers in three branch offices. Site A uses a local KMS host because it has more than 25 client computers, and it does not have secure TCP/IP connectivity to the core network. Site B uses MAK activation because KMS does not support sites with fewer than 25 KMS client computers, and the site is not connected by a secure link to the core network. Site C uses KMS because it is connected to the core network by a secure connection over a private wide area network (WAN), and activation thresholds are met using core network KMS clients.

5.3. Individual Disconnected Computers

Some users in an organization may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers of salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection or an intermittent connection to the core network.

Disconnected computers can use KMS or MAK, depending on how often the computers connect to the core network. Use KMS activation for computers that connect to the core network—either directly or through a VPN—at least once every 180 days and when the core network is using KMS activation. Use MAK Independent activation—by telephone or the Internet—for computers that rarely or never connect to the core network. Figure 4 shows disconnected clients using MAK Independent activation through the Internet and also through the telephone.

5.4. Test/Development Labs

Lab environments usually have large numbers of VMs, and computers in labs are reconfigured frequently. First, determine whether the computers in test and development labs need activation. The initial 30-day grace period of a computer running Windows 7 or Windows Server 2008 R2 can be reset three times without activating it. Therefore, if you are rebuilding lab computers within 120 days, these computers need not be activated.

If lab computers do require activation, use KMS or MAK activation. Use KMS activation if the computers have connectivity to a core network that is using KMS. If the number of computers in the lab meets the KMS activation threshold, deploy a local KMS host.

In labs that have a high turnover of computers as well as a small number of KMS clients, it is important to monitor the KMS activation count to maintain a sufficient number of cached CMIDs on the KMS host. A KMS host caches activation requests from computers for 30 days. If the lab environment needs activation but does not qualify for KMS activation, use MAK activation. MAK clients are activated by telephone or over the Internet, whichever is available to the lab.

MAK Proxy activation with VAMT can also be used in this scenario. Install VAMT in the isolated lab network and also in a network that has access to the Internet. In the isolated lab, VAMT performs discovery, obtains status, installs a MAK product key, and obtains the IID of each computer in the lab. This information can then be exported from VAMT, saved to removable media, and then the file can be imported to a computer running VAMT that has access to the Internet. VAMT sends the IIDs to Microsoft and obtains the corresponding CIDs needed to complete activation. After exporting this data to removable media, take it to the isolated lab to import the CIDs so that VAMT can complete the activations.

Note:

In High Security mode, VAMT removes all personally identifiable information (PII) from the file that it exports. This file is a readable Extensible Markup Language (XML) file that can be reviewed in any XML or text editor.

6. What If Systems Are Not Activated?

Activation is designed to provide a transparent activation experience for users. If activation does not occur immediately after the operating system is installed, Windows 7 and Windows Server 2008 R2 still provide the full functionality of the operating system for a limited amount of time (a grace period). The length of the grace period is 30 days for Windows 7 and Windows Server 2008 R2. After the grace period expires, both operating systems remind the user through notifications to activate the computer.

6.1. Grace Period

During the initial grace period, there are periodic notifications that the computer requires activation. Computers in this grace period have a set period of time to activate the operating system. Once per day, during the logon process, a notification bubble reminds the user to activate the operating system. This behavior continues until there are three days left in the grace period. For the first two of the final three days of the grace period, the notification bubble appears every four hours. During the final day of the grace period, the notification bubble appears every hour on the hour.

6.2. Grace Period Expiration

After the initial grace period expires or activation fails, Windows 7 continues to notify users that the operating system requires activation. Until the operating system is activated, reminders that the computer must be activated appear in several places throughout the product:

• Notification dialog boxes appear during logon after users enter their credentials.

• Notifications appear at the bottom of the screen above the notification area.

• A persistent desktop notification will be shown on a black desktop background.

• A reminder might appear when users open certain Windows applications.