5. Volume Activation Scenarios
Each Volume Activation
method is best suited to a particular network configuration. To select
the best activation method or methods for the organization, assess the
network environment to identify how different groups of computers
connect to the network. Connectivity to the corporate network, Internet
access, and the number of computers that regularly connect to the
corporate network are some of the important characteristics to identify.
Most mediumsized to large organizations use a combination of activation
methods because of the varied ways their client computers connect to
their networks.
KMS is the recommended activation method for computers that are well connected to the organization's core
network or that have periodic connectivity, such as computers that are
offsite. MAK activation is the recommended activation method for
computers that are offsite with limited connectivity or that cannot
connect to the core network because of security restrictions. These
include computers in lab and development environments that are isolated from the core network.
Table 1 lists common network configurations and the best practice recommendations
for each type. Each solution factors in the number of computers and
network connectivity of the activation clients.
Table 1. Volume Activation Recommendations by Scenario
NETWORK INFRASTRUCTURE | RECOMMENDATIONS | CONSIDERATIONS |
---|
Core network
Well-connected LAN
Most common scenario | If total computers > KMS activation threshold:
If total computers ≤ KMS activation threshold:
| Minimize the number of KMS hosts
Each KMS host must consistently maintain a count of total machines > KMS activation threshold
KMS hosts are autonomous
KMS host is activated by telephone or Internet |
Isolated network
Branch office, high-security network segments, perimeter networks
Well-connected zoned LAN | If ports on firewalls can be opened between KMS clients and hosts:
If policy prevents firewall modification:
| Firewall configuration
Change management on firewall rule sets |
Test or development lab
Isolated network | If total computers > KMS activation threshold:
If total computers ≤ KMS activation threshold:
| Variable configuration
Limited number of computers
KMS host and MAK activation through telephone; MAK Proxy performed manually |
Individual disconnected computer
No connectivity to the Internet or core network
Roaming computers that periodically connect to the core network or connect through a virtual private network (VPN)
Roaming computers with Internet access but no connection to the core network | For clients that connect periodically to the core network:
For clients that never connect to the core network or have no Internet access:
For networks that cannot connect to the core network:
If total computers > KMS activation threshold: Small: KMS host = 1 Medium: KMS host ≥ 1 Enterprise: KMS host > 1
If total computers ≤ KMS activation threshold, MAK Independent or MAK Proxy performed manually
For clients that never connect to the core network but have Internet access:
| Restricted environments or networks that cannot connect to other networks
KMS host can be activated and then moved to disconnected network
KMS host and MAK activation by telephone; MAK Proxy performed manually |
The following sections describe examples of Volume
Activation solutions in heterogeneous corporate environments that
require more than one activation method. Each scenario has a recommended
activation solution, but some environments may have infrastructure or
policy requirements that are best suited to a different solution.
5.1. Core Network
A centralized KMS
solution is recommended for computers on the core network. This solution
is for networks that have well-connected computers on multiple network
segments that also have a connection to the Internet. Figure 1
shows a core network with a KMS host. The KMS host publishes the KMS
using DDNS. KMS clients query DNS for KMS SRV RRs and activate
themselves after contacting the KMS host. The KMS host is activated
directly through the Internet.
Note:
A KMS host can be
installed on a VM, but select a VM that is unlikely to be moved to a
different host computer. If the virtual KMS host is moved to a different
host computer, the operating system detects the change in the
underlying hardware and the KMS host must reactivate with Microsoft. KMS
hosts can activate with Microsoft up to nine times.
5.2. Isolated Networks
Many organizations have
networks that are separated into multiple security zones. Some networks
have a high-security zone that is isolated because it has sensitive
information, whereas other networks are separated from the core network
because they are in a different physical location (branch office
locations).
5.2.1. High-Security Zone
High-security zones are network segments separated by
a firewall that limits communication to and from other network
segments. If the computers in a high-security zone are allowed access to
the core network by allowing TCP port 1688 outbound from the
high-security zone and an RPC reply inbound, activate computers in the
high-security zone by using KMS hosts located in the core network. This
way, the number of client computers in the high-security network does
not have to meet any KMS activation threshold.
If these firewall
exceptions are not authorized and the number of total computers in the
high-security zone is sufficient to meet KMS activation thresholds, add a
local KMS host to the high-security zone. Then, activate the KMS host
in the high-security zone by telephone.
Figure 2
shows an environment with a corporate security policy that does not
allow traffic between computers in the high-security zone and the core
network. Because the high-security zone has enough computers to meet the
KMS activation threshold, the high-security zone has its own local KMS
host. The KMS host itself is activated by telephone.
If KMS is not
appropriate because there are only a few computers in the high-security
zone, MAK Independent activation is recommended. Each computer can be
activated independently with Microsoft by telephone.
MAK Proxy activation using VAMT
is also possible in this scenario. VAMT can discover client computers
by using AD DS, computer name, IP address, or membership in a workgroup.
VAMT uses WMI to install MAK product keys and CIDs and to retrieve
status on MAK clients. Because this traffic is not allowed through the
firewall, there must be a local VAMT host in the high-security zone and
another VAMT host in another zone that has Internet access.
5.2.2. Branch Office Locations
Figure 3
shows an enterprise network that supports client computers in three
branch offices. Site A uses a local KMS host because it has more than 25
client computers, and it does not have secure TCP/IP connectivity to
the core network. Site B uses MAK activation because KMS does not
support sites with fewer than 25 KMS client computers, and the site is
not connected by a
secure link to the core network. Site C uses KMS because it is connected
to the core network by a secure connection over a private wide area
network (WAN), and activation thresholds are met using core network KMS
clients.
5.3. Individual Disconnected Computers
Some users in an
organization may be in remote locations or may travel to many locations.
This scenario is common for roaming clients, such as the computers of
salespeople or other users who are offsite but not at branch locations.
This scenario can also apply to remote branch office locations that have
no connection or an intermittent connection to the core network.
Disconnected computers can use
KMS or MAK, depending on how often the computers connect to the core
network. Use KMS activation for computers that connect to the core
network—either directly or through a VPN—at least once every 180 days
and when the core network is using KMS activation. Use MAK Independent
activation—by telephone or the Internet—for computers that rarely or never connect to the core network. Figure 4 shows disconnected clients using MAK Independent activation through the Internet and also through the telephone.
5.4. Test/Development Labs
Lab environments usually
have large numbers of VMs, and computers in labs are reconfigured
frequently. First, determine whether the computers in test and
development labs need activation.
The initial 30-day grace period of a computer running Windows 7 or
Windows Server 2008 R2 can be reset three times without activating it.
Therefore, if you are rebuilding lab computers within 120 days, these
computers need not be activated.
If lab computers do
require activation, use KMS or MAK activation. Use KMS activation if the
computers have connectivity to a core network that is using KMS. If the
number of computers in the lab meets the KMS activation threshold,
deploy a local KMS host.
In labs that have a high
turnover of computers as well as a small number of KMS clients, it is
important to monitor the KMS activation count to maintain a sufficient
number of cached CMIDs on the KMS host. A KMS host caches activation
requests from computers for 30 days. If the lab environment needs activation but does not
qualify for KMS activation, use MAK activation. MAK clients are
activated by telephone or over the Internet, whichever is available to the lab.
MAK Proxy activation with VAMT
can also be used in this scenario. Install VAMT in the isolated lab
network and also in a network that has access to the Internet. In the
isolated lab, VAMT performs discovery, obtains status, installs a MAK
product key, and obtains the IID of each computer in the lab. This
information can then be exported from VAMT, saved to removable media,
and then the file can be imported to a computer running VAMT that has
access to the Internet. VAMT sends the IIDs to Microsoft and obtains the
corresponding CIDs needed to complete activation. After exporting this
data to removable media, take it to the isolated lab to import the CIDs
so that VAMT can complete the activations.
Note:
In High Security mode, VAMT removes all personally
identifiable information (PII) from the file that it exports. This file
is a readable Extensible Markup Language (XML) file that can be
reviewed in any XML or text editor.
6. What If Systems Are Not Activated?
Activation is designed to
provide a transparent activation experience for users. If activation
does not occur immediately after the operating system is installed,
Windows 7 and Windows Server 2008 R2 still provide the full
functionality of the operating system for a limited amount of time (a grace period). The length of the grace
period is 30 days for Windows 7 and Windows Server 2008 R2. After the
grace period expires, both operating systems remind the user through
notifications to activate the computer.
6.1. Grace Period
During the initial grace
period, there are periodic notifications that the computer requires
activation. Computers in this grace period have a set period of time to
activate the operating system. Once per day, during the logon process, a
notification bubble reminds the user to activate the operating system.
This behavior continues until there are three days left in the grace
period. For the first two of the final three days of the grace period,
the notification bubble appears every four hours. During the final day
of the grace period, the notification bubble appears every hour on the
hour.
6.2. Grace Period Expiration
After the initial grace
period expires or activation fails, Windows 7 continues to notify users
that the operating system requires activation. Until the operating
system is activated, reminders that the computer must be activated
appear in several places throughout the product:
Notification dialog boxes appear during logon after users enter their credentials.
Notifications appear at the bottom of the screen above the notification area.
A persistent desktop notification will be shown on a black desktop background.
A reminder might appear when users open certain Windows applications.