New features in Active Directory Domain Services in Windows Server 2012, Part 16: Active Directory-based Activation
Windows Genuine Advantage and Windows Activation has been hunting admins trying to make their legally purchased volume licenses seamlessly work for them for years.
About volume activation
While Windows XP volume activation was straightforward, Microsoft felt its volume license product keys were misused in less legal situations; according to the Volume Activation 2.0 FAQ available here, "Volume License keys represent the majority of keys involved in Windows piracy". Back then, Windows XP volume license keys did not require activation by Microsoft-owned servers.
With Windows Vista, Microsoft introduced Volume Activation 2.0. Within this program, Microsoft made every customer either check every product key with Microsoft’s hosted activation services (Multiple Activation Keys) or make a KMS host report on product key usage for an entire organization.
Key Management Services (KMS) is an on-premises server-client model for volume activation. KMS clients use DNS to find KMS hosts and communicate with them using TCP port 1688 (by default). The choice of KMS host Operating System and the (in)availability of KMS host Windows Updates determines the Windows, Windows Server and/or Office activation possibilities.
In some environments end users were faced with warnings of unlicensed software usage due to inactivity (a KMS client needs to connect to the KMS every 180 days). In other environments the initial activation count to use KMS was not reached or hosts in perimeter networks (DMZs) and/or isolated networks were not allowed to contact the KMS host(s). In both these environments admins had to resort to using MAKs.
Multiple Activation Keys (MAKs) are used for one-time activations with Microsoft. Each Multiple Activation Key an admin can punch in has a predetermined number of allowed activations. This number is based on the volume licensing agreement. Each activation using a MAK with Microsoft’s hosted activation service counts towards the activation limit.
There are two ways to activate computers using MAK: MAK Independent and MAK Proxy activation. MAK Independent activation requires that each computer independently connect and activate with Microsoft, either over the Internet or by telephone. MAK Proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. MAK Proxies are useful for environments that do not maintain a (transparent) connection to the Internet. MAK Proxy activation is configured using the Volume Activation Management Tool (VAMT).
The Volume Activation Management Tool (VAMT) is a free tool that admins can download and use to centrally alter the volume activation method and product key for clients.
Windows Server 2012 introduces the concept of Active Directory-based Activation does.
Automatic activation with domain membership
In environments with Active Directory-based Activation configured, when you join a Windows computer to an Active Directory domain, the Windows and/or Office installations on that computer will automatically activate. Activation is valid for 180 days. During this time the client should communicate with a Domain Controller at least once to renew the activation period.
When you remove a computer from the domain, the Windows and/or Office installations immediately get deactivated.
No activation threshold
Where KMS requires 25 (physical) Windows installations or 5 Windows Server installations to begin centrally activating, Active Directory-based Activation does not have a minimum amount of clients or servers to activate.
No host maintenance needed anymore
Although KMS is the preferred volume activation method in environments with more than 25 (physical) clients or five servers, one of the downsides of KMS is the necessity for a KMS host. While the KMS host can coexist with any other Server Role, it adds extra management tasks.
With Active Directory-based Activation no single physical computer is required to act as the activation object, because the activation information is stored in the ms-SPP-Activation object in Active Directory.
Automatic high availability and failover
Since Active Directory-based Activation uses Active Directory Domain Controllers for client-server activation communications, each (R/W) Domain Controller is an available activation host. As an admin you no longer need to manually configure secondary KMS Host DNS records (only the first KMS Host registers the DNS records).
No more dedicated KMS Port
Where KMS used TCP port 1688 (by default) for client-server communication, Active Directory-based Activation uses commonly used Active Directory client-server communication ports.
Works together with KMS
Environments with Active Directory-based Activation are not limited to using only Active Directory-based Activation to activate Windows, Windows Server and/or Office installations. On the same network, also KMS can still be used. This is useful to activate previous versions of Windows, Windows Server and/or Office that do not support Active Directory-based Activation.
Windows 8 and Windows Server 2012 installations will first try to activate through Active Directory-based Activation (act-type 1). When unsuccessful, these installations will try to activate through Key Management Services (act-type 2) and when unsuccessful again will try token-based activation (act-type 3)
Enabling AD-based Activation
Installing AD-based Activation
Installing Active Directory-based Activation requires installing the Volume Activation Services Server role. This can be done in two ways:
Using Server Manager
To install the Volume Activation Services role using Server Manager perform the following steps:
- In Server Manager click on Manage in the top right.
- Click Add Roles and Features.
- Select Role-based or Feature-based installation in the Select installation type screen. Click Next >.
- Select a server to install the Volume Activation Services on from the server pool in the Select destination server screen. Click Next >.
- In the Select server roles screen, select Volume Activation Services.
- A pop-up appears with a selection of features that are required to manage the Windows Activation Services role. Click Add Features.
- In the Select server roles screen click Next >.
- In the Select features screen click Next >.
- Read the notes in the Volume Activation Services screen and click Next > when done.
- On the Confirm installation selections page, confirm that the information is correct, then click Install.
To install the Volume Activation Services, run the following PowerShell one-liner:
Install-WindowsFeature VolumeActivation –IncludeManagementTools
Configuring AD-based Activation
To configure Volume Activation Services, log on as an enterprise admin to the server on which you installed the Volume Activation Services Role. Then perform the following steps:
- Open Server Manager.
- Click on Tools in the upper right corner and then click Volume Activation Tools.
- In the Introduction to Volume Activation Services screen, click Next >.
- In the Select Volume Activation Method screen, select Active Directory-based Activation. Click Next >.
- Enter the KMS Host product key in the Manage Activation Objects screen. Optionally, specify a name for the Active Directory activation object. Click Next > when done.
- Choose to activate the key online or by phone in the Activate Product screen, and then click Commit.
- A pop-up appears, mentioning an Active Directory-based Activation object will be created. Click Yes.
- In the Activation Succeeded screen click Close.
This will create an activation object underneath CN=Activation Objects,CN=Microsoft SPP,CN=Services,CN=Configuration,DC=domain,DC=tld as shown below using ldp.exe:
After replication of the object and its attributes, Windows client installation, Office installations and Windows servers installations, covered by the KMS Host product key and configured with their corresponding setup keys, will activate automatically.
Volume License (VL) downloads for Windows and Windows Server are automatically configured with their corresponding setup keys and thus require no changes for automatic activation by KMS or Active Directory-based Activation.
Reporting on activated licenses
To report on activated licenses and thus present proof of license compliance, Volume Activation Management Tool (VAMT) version 3 can be used.
VAMT 3.0 can only be installed on Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012 installations. PowerShell 3.0
Installing VAMT 3
To install Volume Activation Management Tool (VAMT) 3.0 begin by downloading the Windows Assessment and Deployment Kit (ADK) for Windows 8. When this 700KB download finishes, run it:
- In the Specify Location screen, click Next.
- Make the choice to participate or not in the Join the Customer Experience Improvement Program (CEIP) screen and click Next.
- Click on the Accept button in the License Agreement screen.
- Select to install the Volume Activation Management Tool (VAMT) and Microsoft SQL Server 2012 Express in the Select the features you want to install screen.
Existing SQL installations can be used by the Volume Activation Management
Tool. When your environment already features a SQL Server and you want to
use this installation to host the VAMT database, you don’t have to select the
Microsoft SQL Server 2012 Express option. (In this case specify the
hostname of the SQL Server during step 2 of configuring VAMT 3.)
Click Install when done.
- The selected features will now be installed. After installation the Welcome to the Assessment and Deployment Kit! screen will appear. Click Close.
Configuring clients for reporting
By default, the Volume Activation Management Tool (VAMT) will not be able to communicate with activation clients. It uses WMI. By default, this type of traffic is blocked by the Windows Firewall. To enable it, follow these steps:
- Log on to a Domain Controller, or a management workstation with the Remote Server Administration Tools (RSAT) installed, with sufficient permissions to create and/or modify group policies.
- Start the Group Policy Management Console (GPMC) by either typing its name in the Start Menu or Start Screen, or by running gpmc.msc.
- Either create a new Group Policy object and target it at the hosts you want to report on, or select an existing Group Policy object that already targets them. Right-click the Group Policy object and select Edit… from the context menu. This will launch the Group Policy Editor.
- Navigate to Computer Configuration, Policies, Windows Settings, Security Settings and then expand the Windows Firewall with Advanced Security node twice.
- Right-click Inbound Rules and select New Rule… from the context menu.
- In the Rule Type screen, select Predefined as the rule type and select Windows Management Instrumentation (WMI) from the pull-down list. Click Next >.
- In the Predefined Rules screen, select only the rule ending on (WMI-in) and click Next > to enable the three predefined WMI rules.
- In the Action screen, select Allow the connection and click Finish.
- Now the rule will be present in the Inbound Rules node of Windows Firewall with Advanced Security. Modify the rule when you want these rules only to apply when the machine with VAMT on it connects, or when you only want this rule to apply to particular profiles (domain, private and/or public)
- Close the Group Policy Editor when done.
Wait for the Group Policy Background Refresh Interval to update the Group Policies on each of the targeted domain members (by default this may take up to 120 minutes) or use the central Group Policy Update… command to trigger updating of Group Policy objects by right-clicking the targeted Organizational Units (OUs) and selecting this option from the context menu.
Configuring VAMT 3
With the Volume Activation Management Tool (VAMT) installed, it’s time to start it up for the first time and configure its basic settings:
- Start the Volume Activation Management Tool by pressing Start and typing VAMT. Then, click the shortcut to the Volume Activation Management Tool in the results pane.
- Since this is the first time the Volume Activation Management Tool (VAMT) is started it displays the Database Connection Settings screen. Specify database settings and then click Connect. If unsure what to specify as settings, simply specify .\ADK as Server:, <Create new database> as Database: and give the new database a meaningful name. (in the example above I named the database VAMT30.)
- In the left pane of the Volume Activation Management Tool interface, right-click Products and select Discover products… from the context menu.
- In the Discover Products screen, Search for computers in Active Directory is selected by default.
The Volume Activation Management Tool does not offer an option to filter on
Organizational Units. To make the computer name filter in the Volume Activation
Management Tool work, implement a useful naming convention.
Click Search when done.
- When discovery completes, the Volume Activation Management Tool will display the number of machines it found. Click OK.
- Select Products in the left pane of the Volume Activation Management Tool interface. In the list of products in the middle of the screen (multi)select the products you want to see the license status of. Right-click the selection and select Update license status and Current credential from the context menu.
- Click Close when done.
- In the Volume Activation Management Tool interface, now click the root node in the left pane. In the middle pane a license summary is shown:
You can drill down in this summary.
Exporting the summary is available in the right action pane.In the Volume Licensing Reports folder in the left pane, more advanced reports are available.
To use Active Directory-based Activation the following requirements need to be met:
- Active Directory-based Activation requires the Windows Server 2012 schema extensions. This means adprep.exe needs to have been run.
- Active Directory-based Activation requires a domain-joined Windows 8-based management workstation with the Windows Volume Activation Remote Server Administration Tools (RSAT) installed, or a domain-joined Windows Server
2012-based management server.
- When volume license reporting is needed, the management workstation/server needs to be installed with the Volume Activation Management Tool (VAMT) version 3.0 installed. VAMT should be run with credentials that have administrative permissions to the Active Directory domain and the KMS host Key should be added to VAMT in the Product Keys node.
- When proxy activation is needed for isolated environments, the management workstation/server needs to be installed with the Volume Activation Management Tool (VAMT) version 3.0 installed. VAMT 3.0 is part of the Windows Assessment and Deployment Kit (ADK) for Windows 8. The management workstation/server will be the only machine that will need an Internet connection. Click here for instructions on setting up Proxy Activation for Active Directory-based activation.
VAMT 3.0 can be installed on Windows 7, Windows 8, Windows Server
2008 R2 and Windows Server 2012, but requires PowerShell 3.0 and a
connection to a SQL Server (Express) database.
- Active Directory-based Activation will not work for operating systems earlier than Windows Server 2012 or Windows 8. It also will not work with Microsoft Office 2010. Use KMS volume activation to activate Windows clients and applications that do not support Active Directory-based Activation.
- Supported clients will only communicate to (R/W) Domain Controllers. Activation through Read-only Domain Controllers is not possible. Make sure sufficient (R/W) Domain Controllers are available to clients in remote locations.
Active Directory-based Activation offers a way to activate Windows, Windows Server and Office installation, integrated with the highly available infrastructure of Active Directory.
Many of the downsides of using Key Management Services have been eliminated, except for the requirement to connect to the Microsoft-hosted activation services and the requirement for clients to connect to the activation infrastructure at least every 180 days.
Active Directory-based Activation offers faster reporting on licensing, by making the most of the built-in filters of the Volume Activation Management Tool (VAMT).
Active Directory-Based Activation Overview
Test Lab Guide: Demonstrate Volume Activation Services
Review Available Activation Models
Volume Activation Overview
Windows 8 Active Directory based volume activation
Active Directory-based activation
Windows 8 Active Directory based volume activation
Introduction to VAMT 3.0
Plan for Volume Activation, Step 1: Review and Select Activation Methods
Volume Activation Management Tool (VAMT) 2.0
Windows Assessment and Deployment Kit (ADK) for Windows 8