Review Available Activation Models
On This Page
Key Management Service
Multiple Activation Key
Volume Activation provides the following activation models:
Key Management Service (KMS)
Multiple Activation Key (MAK)
The model chosen depends on the size, network infrastructure, connectivity, and security requirements of the organization. IT pros can choose to use only one or a combination of these activation models.
Note Token-based Activation is a specialized activation option available for approved Microsoft Volume Licensing customers. It is designed for use in specific scenarios, where the end systems are completely disconnected from the network or phone. This option enables customers to use public key infrastructure (PKI) and digital certificates (or tokens, typically stored on smart cards) to activate Windows 7 Enterprise and Windows Server 2008 R2 locally without contacting either customer-hosted KMS or the Microsoft-hosted activation service using MAK. For more information about Token-based Activation, contact a Microsoft Account Team or Services Representative.
Key Management Service
KMS activates computers on a local network, eliminating the need for individual computers to connect to Microsoft. To do this, KMS uses a client–server topology. KMS client computers can locate KMS host computers by using Domain Name System (DNS) or a static configuration. KMS clients contact the KMS host by using remote procedure call (RPC). KMS can be hosted on computers that are running the Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
Minimum Computer Requirements
When planning for KMS activation, the network must meet or exceed the activation threshold, or the minimum number of qualifying computers that KMS requires. IT pros must also understand how the KMS host tracks the number of computers on the network.
KMS Activation Thresholds
KMS can activate both physical computers and virtual machines. To qualify for KMS activation, a network must have a minimum number of qualifying computers, called the activation threshold. KMS hosts activate clients only after meeting this threshold. To ensure that the activation threshold is met, a KMS host counts the number of computers that are requesting activation on the network.
The KMS client computers are activated after meeting the activation threshold. The computers running Windows server 2008 or Windows Server 2008 R2 the activation threshold is five. For computers running Windows Vista or Windows 7 the activation threshold is 25. The thresholds include clients and servers that are running on physical computers or virtual machines.
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have contacted the KMS host for activation. Clients that receive a count below their activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 7, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a Windows 7 virtual machine, it receives an activation count of 3, and so on. None of these computers is activated, because computers running Windows 7 must receive an activation count ≥25 to be activated. KMS clients in the grace state that are not activated because the activation count is too low connect to the KMS host every two hours to get the current activation count and will be activated when the threshold is met.
If the next computer that contacts the KMS host is running Windows Server 2008 R2, it receives an activation count of 4, because activation counts are a combination of computers running Windows Server 2008 R2 and Windows 7. If a computer running Windows Server 2008 or Windows Server 2008 R2 receives an activation count that is ≥5, it is activated. If a computer running Windows 7 receives an activation count ≥25, it is activated.
Activation Count Cache
To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client machine identification (CMID) designation, and the KMS host saves each CMID in a table. Each activation request remains in the table for 30 days. When a client renews its activation, the cached CMID is removed from the table, a new record is created, and the 30-day period begins again. If a KMS client does not renew its activation within 30 days, the KMS host removes the corresponding CMID from the table and reduces the activation count by one.
The KMS host caches twice the number of CMIDs that KMS clients require to help ensure that the CMID count does not drop below the activation threshold. For example, on a network with clients that are running Windows 7, the KMS activation threshold is 25. The KMS host caches the CMIDs of the most recent 50 activations. The KMS activation threshold for Windows Server 2008 R2 is five. A KMS host that is contacted only by KMS clients that are running Windows Server 2008 R2 would cache the 10 most recent CMIDs. If a client that is running Windows 7 later contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
How KMS Works
KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS service. The default settings can be used, which require little to no administrative action, or KMS hosts and clients can be manually configured based on network configuration and security requirements.
KMS Activation Renewal
KMS activations are valid for 180 days. This is called the activation validity interval. To remain activated, KMS clients must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. IF KMS activation fails, the client will retry every two hours. After a client’s activation is renewed, the activation validity interval begins again.
Publication of the KMS Service
The KMS service uses service (SRV) resource records (RR) in DNS to store and communicate the locations of KMS hosts. KMS hosts use DNS dynamic update protocol, if available, to publish the KMS SRV RRs. If dynamic update is not available or the KMS host does not have rights to publish the RRs, the DNS records must be published manually, or IT pros must configure client computers to connect to specific KMS hosts.
Note DNS changes may take time to propagate to all DNS hosts, depending on the complexity and topology of the network.
Client Discovery of the KMS Service
By default, KMS clients query DNS for KMS service information. The first time a KMS client queries DNS for KMS service information, it randomly chooses a KMS host from the list of SRV RRs that DNS returns.
The address of a DNS server containing the SRV RRs can be listed as a suffixed entry on KMS clients, which allows advertisement of SRV RRs for KMS in one DNS server and KMS clients with other primary DNS servers to find it.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows IT pros to specify which KMS host the clients should try first and balances traffic among multiple KMS hosts. Only Windows 7 and Windows Server 2008 R2 provide the priority and weight parameters.
If the KMS host that a client selects does not respond, the KMS client removes that KMS host from its list of SRV RRs and randomly selects another KMS host from the list. When a KMS host responds, the KMS client caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client discovers a new KMS host by querying DNS for KMS SRV RRs.
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (IT pros can change the default port.) After establishing a TCP session with the KMS host, the client sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client is activated and the session is closed. The KMS client uses this same process for renewal requests. The communication each way is 250 bytes.
Planning a KMS Deployment
The KMS service does not require a dedicated server. The KMS service can be co-hosted with other services, such as Active Directory® Domain Services (AD DS) domain controllers and read-only domain controllers (RODCs). KMS hosts can also run on physical computers or virtual machines that are running any supported Windows operating system, including Windows Server 2003. Although a KMS host that is running Windows Server 2008 R2 can activate any Windows operating system that supports Volume Activation, a KMS host that is running Windows 7 can activate only computers running Windows 7 and Windows Vista clients. A single KMS host can support unlimited numbers of KMS clients; however, Microsoft recommends deploying a minimum of two KMS hosts for failover. Most organizations can use as few as two KMS hosts for their entire infrastructure.
Note KMS is not automatically included in Windows Server 2003. To host KMS on computers that are running Windows Server 2003, download and install KMS from one of the following sites:
For x86-based computers: Key Management Service 1.2 (x86) for Windows Server 2003 SP1 and Later http://www.microsoft.com/downloads/details.aspx?FamilyID=f3a0d90c-b7fd-44cf-bf81-11587adc599f
For x64-based computers: Key Management Service 1.2 (x64) for Windows Server 2003 SP1 and Later http://www.microsoft.com/downloads/details.aspx?FamilyID=1678151b-b577-476f-87da-df54024b98e2
Planning DNS Server Configuration
The default KMS auto-publishing feature requires SRV RR and DNS dynamic update protocol support. KMS client default behavior and KMS SRV RR publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports SRV RRs (per Internet Engineering Task Force [IETF] Request for Comments [RFC] 2782) and dynamic updates (per RFC 2136) . For example, Berkeley Internet Domain Name (BIND) versions 8.x and 9.x support both SRV records and dynamic update.
The KMS host must be configured so that it has the credentials needed to create and update SRV, A (Internet Protocol version 4, or IPv4), and AAAA (Internet Protocol version 6, or IPv6) RRs on the DNS servers, or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, and then add all KMS hosts to that group. In a DNS server that is running Microsoft software, ensure that this security group is given full control over the _VLMCS._TCP record on each DNS domain that will contain the KMS SRV RRs.
Activating the First KMS Host
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the Key Management Service on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft.
KMS keys are only installed on KMS hosts, never on individual KMS clients. Windows 7 and Windows Server 2008 R2 have safeguards to help prevent inadvertently installing KMS keys on KMS client computers. Any time users try to install a KMS key, they see the warning shown in Figure 1.
Figure 1 Installing a KMS key
Activating Subsequent KMS Hosts
Each KMS key can be installed on up to six KMS hosts, which can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine more times with the same key.
If the organization needs more than six KMS hosts, IT pros can request additional activations for the organization’s KMS key by calling the Activation Call Center to request an exception. For more information, see the Volume Licensing Web site at http://go.microsoft.com/fwlink/?LinkID=73076.
Upgrading Existing KMS Hosts
KMS hosts that are running Windows Server 2003, Windows Vista, or Windows Server 2008 can be configured to support KMS clients that are running Windows 7 and Windows Server 2008 R2. For Windows Vista and Windows Server 2008, it is necessary to update the KMS host with a package with files that support the expanded KMS client. This package is available through the Microsoft Download Center at http://www.microsoft.com/downloads. Once the package is installed on the KMS host, a KMS key that is designed to support Windows 7 and Windows Server 2008 R2 can be installed and activated as described earlier in this guide. The KMS key that supports the new versions of the Windows operating systems also provides support for the previous Volume License editions of Windows that are acting as KMS clients.
In the case of updating a Windows Server 2003 KMS host, all necessary files are contained within the KMS 1.2 downloadable package, which is available through the Microsoft Download Center at http://www.microsoft.com/downloads.
Planning KMS Clients
By default, computers that are running Volume License editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are KMS clients, and no additional configuration is needed. KMS clients can locate a KMS host automatically by querying DNS for SRV RRs that publish the KMS service. If the network environment does not use SRV RRs, a KMS client can be manually configured to use a specific KMS host.
To manually configure KMS clients, follow the steps in the Volume Activation Deployment Guide.
Activating as a Standard User
Windows 7 and Windows Server 2008 R2 do not require administrator privileges for activation. However, this change does not allow standard user accounts to remove Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
Multiple Activation Key
A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations; this number is based on Volume Licensing agreements and does not match the organization’s exact license count. Each activation using a MAK with Microsoft’s hosted activation service counts toward the activation limit.
There are two ways to activate computers by using a MAK:
MAK Independent activation. Each computer independently connect and be activated with Microsoft, over the Internet or by telephone. MAK Independent activation is best suited for computers within an organization that do not maintain a connection to the corporate network.
MAK Proxy activation. MAK Proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. MAK Proxy activation is configured using the Volume Activation Management Tool (VAMT). MAK Proxy activation is appropriate for environments in which security concerns may restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity.
MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers needing activation does not meet the KMS activation threshold. MAK can be used for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. MAK can also be used on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
Volume Activation Management Tool
Included in the Windows Automated Installation Kit (Windows AIK), VAMT is a stand-alone application that collects activation requests from several computers, and then sends them to Microsoft in bulk. VAMT allows IT pros to specify a group of computers to activate using AD DS, workgroup names, IP addresses, or computer names. After receiving the activation confirmation codes, VAMT distributes them to the computers that requested activation. Because VAMT also stores these confirmation codes locally, it can reactivate a previously activated computer after it is reimaged without contacting Microsoft. Additionally, VAMT can be used to easily transition computers between MAK and KMS activation methods.
Download the Windows Automated Installation Kit (AIK) for Windows 7 RC (http://go.microsoft.com/fwlink/?LinkId=136976) from the Microsoft Download Center.
MAK Independent activation installs a MAK product key on a client computer. The key instructs that computer to activate with Microsoft servers over the Internet. In MAK Proxy activation, VAMT installs a MAK product key on a client computer, obtains the installation ID (IID) from the target computer, sends the IID to Microsoft on behalf of the client, and obtains a confirmation ID (CID). The tool then activates the client by installing the CID.