Microsoft Key management Server (KMS) reporting / inventory best practices
Quite often we all face this challenging question on license tracking within the organization, department or group . If you are using Windows based hosts one of the best option is to implement Microsoft’s key management server (KMS).
There are many great articles on the internet covering the technical step by on how to install KMS so in this article i am focusing on challenges faced on reporting needs out of a KMS server. For all who don’t know, out of box installation of KMS does not provide much insight on what was activated or who activated so there is always a need of having an insight on tracking the license consumption behavior based on which managers can plan and take informed decisions.
Also at the same time it is worth mentioning that if a license tracking architecture is well planned and deployed in an organization one can cover a whole range of needs starting from
- License tracking retail and volumes to
- inventory of assets deployed in the organization
So a typical MS – KMS sits on a windows based host (physical or a VM) . KMS operates in a client server model where KMS HOST is your KMS server itself and the KMS CLIENT is the node you are going to activate using KMS server.
Once the KMS is installed you will need the KMS to be configured using your enterprise KMS key and activated using online or phone support with Microsoft to collect CSVLK . CSVLK stands for Customer service volume licensing key which is activated using phone activation to Microsoft.
Once your KMS is installed and configured the configurations can be easily checked using the below switch on a dos prompt C:\>slmgr.vbs /dlv Upon return you should see the below windows display.
NOTE: The image is from official technet article.
As you can see the self explanatory windows explains various part of your KMS configuration. At this point I am assuming that you have an operational KMS configured with your key or CSVLK.
The final step should be to contact your AD administrator to create SRV records on the DNS so that your KMS correctly resolves.
HOW CLIENTS CONNECT
In most cases windows based clients that uses volume licenses editions like MS Vista, 7, 2K8, or 2K8R2 are KMS clients and should be able to see your KMS via SRV’s published in your DNS.
It is important to note that KMS will only start activating its clients if the minimum threshold is met for e.g minimum threshold for Windows 7 clients is 25 , i.e. until 25 clients tries contacting KMS for activation it will simply queue requests. just FYI the threshold for Windows Server is 5
REPORTING
Once the above is achieved I guess the important question is to know how many clients are activated using KMS , from a managers standpoint.
As mentioned above a standard KMS install does not provide much of helpful insight , however this can be achieved by wrapping your KMS installation with Microsoft Volume Activation Management Tool. You can download the VAMT from CLICK ME
Some of the core benefits of using a VAMT are
- To protect product keys by retaining them only in the VAMT console, vs. including a key in an image or distributing it in plain text (traditional way)
- Perform activations without each system having to connect and activate with Microsoft activation services
- Inventory and monitor systems in the environment from an activation and licensing standpoint
Once installed the VMAT looks like the following image
The left most pane shows your nodes based on the licensing classification for e.g licenses, un-managed, unknown etc, the middle pane gives you the ability to perform a search based on IP, netbios, or domain and the right most pane gives you the option to save the searched list or to update the licensing configuration of a searched item. Please note that a node in VAMT context is called configuration ID’s (CID)
A real world example
Organization ABC is going to purchase 1000 computers for their new division based in connecticut . Their IT infrastructure looks like the following
DOMAIN : ABC
KMS : ABC-KMS-1
DNS : NS1.ABS.COM
AD : DC1.ABC.COM
All the 1000 new computers will be using the corporate image (windows 7 volume licensing edition) and will be part of the sub domain CON in the AD
Assuming all the 1000 computers are on the LAN a VAMT administrator will do the following
1,Open VAMT snap in
2.From the middle pane select ” Search for computers in the AD ” and filter it on CON.ABC.COM ( Fig below)
3.Click Add
Once done VAMT will search for all the nodes in the container CON hosted on the primary container ABC of your Active Directory and add the records under All Products in the left pane.
Any single node or all (CTRL+A) can be selected from the list and then select the option “Update status ” from the right pane. this will gives you 2 options as below
- Existing credentials
- New Credentials
In order to update the licensing status VAMT will use RPC to the remote computer, and for that, an account with sufficient privileges is required. Select the option best suited for you.
It is important to note that for VAMT to connect to a client and process a WMI request you will need to make the following firewall exception to your master computer image or through group policy
- Open Control Panel and double-click Windows Firewall.
- Click Allow a program or feature through Windows Firewall.
- Click the Change Settings.
- Select the Windows Management Instrumentation (WMI) checkbox. This may be called “Remote Administration” in the firewall dialog.
- Click OK.
Hyper-V Server Installation and Configuration.
After an extensive resarch of atleast 2 working weeks here I am writing this post after sucessfully installing a win hyper V server .
Some prerequisits
- Make sure you have a x64 server hardware
- and the hardware support hardware virtualization
INSTALL
One checked download the hyper V server (its free) from http://www.microsoft.com/hyper-v-server/en/us/how-to-get.aspx
Burn the CD or DVD you will need it later. For my testing lab I was using a HP ProLiant server which comes with support CD to install new OS. Insert the server installation CD from the hardware manufacturer and choose windows 20008 x64 and then Hyper V server.
Fill in the blanks , choose your partition size and at a point of time you will be asked to insert the hyper V CD ./ DVD and finish the installation process . As hyper V is not an operating system and it only sits on the hardware layer so there is no GUI. :(( . And on 1st login what you get is a dos command (classic) and another one with series of options like change net bios name , add dns or join a domain .
However if you are already have a NIC connected set the IP and DNS and use option no 6 on Hyper V server to download all the updates and patches if available. Option no 7 is for setting the automatic updates , be careful this will download and install every night which as well means restarting any VM’s running.
It is important to note that if you are deploying this server in an existing network environment, it is advisable you join the server to the domain by selecting option no 1. And you will be prompted for a user name / password followed by a restart.
For the purpose of my lab environment I have used a domain environment with win 2000 DC installed. After restarting the machine log in using your domain account.
At this point of time your Hyper V server is ready to roll.
MANAGE
In order to manage the Hyper V server all you have is hyper V manager from another console or desktop. I am using my laptop with Windows 7 enterprise .
1st thing is to download win 7 hyper v manager. you can get it from here http://www.microsoft.com/downloads/en/details.aspx?familyid=88208468-0AD6-47DE-8580-085CBA42C0C2&displaylang=en
2nd thing is to perform some config on the hyper V server itself for remote management . follow the below steps.
- add the hyper V server to the domain
- on the hyper v console type netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)” new enable=yes
- press enter make sure you received a sucess with 4 rules ok
- then add the domain user you are using to manage this server from i.e. the domain account you are using to connect to this server. For my testing I logged onto hyper V server and my laptop using the same domain user . Type this command and press enter , make sure to change the last bit to your own domain details net localgroup “Distributed COM Users” /add TWINKLE\tarun
- one last setting is to enable remote desktop option on the hyper V , which you can enable by selecting the option on the dos prompt of the hyper V.
- Restart the server .
Hyper V Manger (PRE-CONFIG)
I am assuming that you are also logged into domain on Hyper V server and your management station using the same domain account. I am aslo assuming that you are using windows 7 as management station . I guess win vista is just the same.
- Inside Control Panel –>System and Security —->Administrative Tools . Select the 2nd option i.e. computer management. This will open up local computer management windows.
- From the laft pane select your local computer and right click and then select connect to remote computer and type in the IP of your HYPER V Server
- Once the details are loaded , select WMI Controls under Services and Applications.
- Right click WMI controls and select properties and choose security tab.
- Inside security tab, expand the Root and select CIMV2 and press the security button. Add the domain user we have used to log onto Hyper V and management station .After adding the user and whist in side the same window press the advance button to edit the user permissions and make the below 3 changes
In the “Apply to:” drop-down, select “This namespace and subnamespaces”
In the Allow column, select Remote Enabl
Check “Apply these permissions to objects and/or containers within this container only”
- Close the permission window and repeat the same step to enable permissions for Virtualization under the Securrity tab of WMI Controls.
- Then finally do a map drive to the hyper V server , you can do this on your dos prompt of management computer by typing net use * TWINLE\C$
- Then from the management station start —>run —->azman.msc and right click the authorization store , and choose your newly mapped drive to hyper v server
- Select the folder ProgramData (its hidden by default so just type the name and open) —->Microsoft—->Windows—>Hyper V —-> InitialStore.xml
- And the authorization store from the hyper V server should be loaded. Select the Last option under Hyper V Services —> Role assignment —>Administrator
- Right click anywhere in the right pane and select the domain user we used to log into hyper v server and management station and add .
Voila 🙂 Reboot your Hyper V Server and connect using Hyper V manager from your management station.
PS: Hope this post is helpful to you all. Please post your comments and suggestions and I will try to help as we go.
Tarun Wadhawan's diary 