New book: MCITP Self-Paced Training Kit (Exam 70-686): Windows 7 Enterprise Desktop Administrator

627178cvr.inddWe’re excited to announce that Craig Zacker and Orin Thomas’s MCITP Self-Paced Training Kit (Exam 70-686): Windows 7 Enterprise Desktop Administrator (ISBN 9780735627178; 592 pages) is now available for purchase!  

You can find the book’s Contents at a Glance and as excerpt form the introduction in this previous post.

In today’s post, please enjoy an excerpt from Chapter 2, “Designing a Client Life Cycle.”

 

CH A P T E R 2

Designing a Client Life Cycle

When you are designing a client life cycle, you should ensure that your plan reduces
the amount of time you have to spend maintaining parts of that life cycle. Your aims
can include reducing the amount of time you spend managing operating system activation,
configuring the operating system so that the installation is easily transferrable to another
computer, and minimizing the amount of time it takes to move data from an older computer
to its replacement.

Although it is not a problem to enter a unique product key when you perform a traditional
installation of Windows 7 on a small number of computers, a simple operation that
takes a minute or so becomes problematic when you have to perform the same operation
on several thousand. Microsoft offers enterprise customers an alternative way of ensuring
that their computers are properly licensed without consuming an inordinate amount of
time. The name for this method is volume activation. You will learn about volume activation
in the first lesson of this chapter.

A new feature of Windows 7 is the ability to deploy the operating system directly
to a VHD file and boot that VHD file on physical hardware. Installing Windows 7 on a
bootable VHD allows an installation to be easily migrated to new hardware. When configured
in this manner, migration to new hardware is as simple as transferring the VHD
container in which Windows 7 has been installed to the new physical or virtual host.

Although the promise of VHD deployments suggest that in the future it will be relatively
simple to migrate users from their old computers to their new computers, most of the users
coming to a new Windows 7 installation will be coming from computers running the Windows
XP or Windows Vista operating systems. The User State Migration Tool offers administrators
the ability to automate the process of user data migration, vastly speeding the process of
transitioning users from these older computers to new computers that run Windows 7.

Exam objectives in this chapter:
■ Plan and manage client licensing and activation.
■ Plan and manage a physical hardware and virtualization strategy.
■ Design a user state migration strategy.

Lessons in this chapter:
■ Lesson 1: Designing and Managing a Licensing Strategy
■ Lesson 2: Designing a Client Hardware Platform
■ Lesson 3: Migrating User Profiles

 

Before You Begin

 

To complete the exercises in the practice sessions in this chapter, you need to have done the
following:
■ Installed the Windows 7 operating system on a stand-alone client PC named WKSTN1, as described in the introduction.
■ Downloaded and installed the Windows Automated Installation Kit (Windows AIK).

image

Lesson 1: Designing and Managing a Licensing Strategy

 

The licensing strategy that you choose depends on the circumstances of your Windows 7
deployment. When you are determining which strategy to pursue, you must take into account
factors such as client connectivity to the Microsoft activation servers on the Internet, the number
of clients that you need to activate, and the editions of Windows 7 that you have chosen
to deploy. In this lesson, you learn about the licensing and activation options that are available
to volume licensing customers and how these differ from the licensing and activation options
available to normal retail customers.

image

Windows 7 Editions and Licensing

 

Windows 7 uses three types of license: the OEM license, the retail license, and the volume
license. OEM licenses are tied to a specific hardware vendor. This license type is used with
computers that are sold with Windows 7 already installed by the vendor, such as those you
might purchase from your local computer retailer. The product keys associated with an OEM
license do not allow you to transfer the license to a computer made by a different vendor.
Computers that have OEM licenses undergo activation prior to being deployed to customers.

Retail keys are provided when you buy a retail copy of Windows 7. You can use the Home
Premium, Professional, and Ultimate editions of Windows 7 with retail keys. Because a retail
key is used only for a single computer, this type is not used with zero touch or lite touch automated
volume deployments.

Volume License keys are made available to organizations that have a volume licensing
agreement with Microsoft. Volume licenses include the Open, Select, and Enterprise agreement
types. You can use volume license keys only with computers running the Windows 7
Professional and Enterprise operating systems. You can use a mixture of retail, volume
license, and OEM keys in an organizational environment.

image

Windows Product Activation

 

Each computer that runs the Windows 7 operating system installed in your organization must
undergo Windows Product Activation (WPA). Microsoft uses WPA to ensure that it is possible
to use the Windows 7 operating system on a computer only when the computer has a license.
Windows 7 must undergo the WPA process within 30 days of the completed installation. You
can extend this 30-day period to a total of 120 days by using the slmgr.vbs –rearm command.
Each use of this command extends the activation period for 30 days. You can use this command
to extend the activation period only three times. After the grace period expires, the
WPA process must successfully occur or Windows enters reduced functionality mode.

WPA relies on two specific identifiers and a third identifier that Windows generates based
on the previous two identifiers. These identifiers have the following properties:
Hardware iD This identifier is generated using information about computer hardware
configuration. This ID is unique and changes if the hardware configuration of the computer
changes.
Product iD 25-character key. This is either a retail key or a Multiple Activation Key.
Unless Key Management Services is in use, this key must be input on the computer running
the Windows 7 operating system. You can deploy keys through the unattended installation
process. You learn about Key Management Services and deploying keys in an unattended
installation later in this lesson.
installation iD Windows 7 generates this ID using the Hardware ID and Product ID.
You forward the installation ID to Microsoft when you perform an activation using the
telephone.

During the online WPA process, the computer forwards the Product and Hardware IDs to
Microsoft activation servers. If the activation check determines that the Product ID has not
exceeded its allowed number of activations, the activation servers record the Hardware ID
and Product ID, the number of recorded activations for the Product ID is incremented, and
the activation servers forward an activation code to the client.
Microsoft allows you to reinstall and reactivate Windows 7 on the same computer once

without incrementing the number of recorded activations. Substantially altering the computer’s
hardware configuration also triggers reactivation. This can cause problems if a prior event has
triggered a reactivation: you might need to contact Microsoft if a single computer goes through
several rapid hardware configuration changes that prompt multiple reactivations.

image

Volume Licensing Activation Methods

 

You can choose from two methods for performing volume licensing activation: Multiple
Activation Keys (MAK keys) or Key Management Services. In the real world, one method is
more appropriate for some situations but in other situations, the choice is a matter of personal
preference. You often need to choose a volume activation method prior to deploying
client computers running the Windows 7 operating system. In the next few pages, you learn
about the solutions that you can implement and the types of situations in which you would
choose one volume licensing activation method over another.

image

Multiple Activation Keys

MAK keys are special keys that allow an organization to perform multiple activations using a
single key. MAK keys are similar to retail keys except that instead of allowing a single activation,
they allow multiple activations from different computers to occur up to the limit defined
by the particular key. The number of activations that a MAK key allows depends on the number
you purchase when you obtain the key. You cannot recover an activation on a MAK key
after you have consumed it. For example, if an organization uses a MAK key and replaces one
computer running Windows 7 activated using a MAK key with another computer, the replacement
computer consumes a new activation of the MAK key. In some scenarios, this circumstance
makes KMS a preferred solution to MAK key activation.

As a single key is used, you can add MAK keys images when deploying them centrally.
When using the Sysprep utility to prepare an image, you add a MAK key to an image during
the Specialize configuration pass. When performing a traditional installation, you can enter
MAK keys in the same way that you would enter a retail key. The main issue that requires
consideration when using a MAK key is how you will perform activation.

You can activate a MAK key in one of two ways:

MAK independent Activation Similar to normal retail activation in that it requires
that each computer independently activate. You can activate the key automatically over
the Internet or use the telephone to call the licensing clearinghouse. MAK Independent
Activation is a good option for locations in which you do not have sufficient numbers of
clients to make KMS or MAK Proxy Activation viable. For example, if you plan to deploy
five clients on an isolated network, it is simpler for you to perform MAK Independent
Activation over the telephone than it is to configure MAK Proxy Activation for such a
small number of clients.

MAK Proxy Activation Allows administrators to configure activation of multiple independent
clients using a single connection to Microsoft. MAK Proxy Activation is suitable for
isolated networks that do not meet the KMS client threshold but have sufficient numbers
of clients to make independent activation more time consuming than configuring
proxy activation. For example, consider MAK Proxy Activation for an isolated network
of 23 clients for the Windows 7 Enterprise operating system. Performing 23 separate
telephone activations would take more time than configuring proxy activation. To use
MAK Proxy Activation, you need to configure the Volume Activation Management Tool
(VAMT). You learn about the VAMT in the next section.

image

Volume Activation Management Tool

 

The Volume Activation Management Tool (VAMT) allows you to collect activation requests
from multiple computers and then forward those requests to Microsoft all at one time. After
the VAMT receives the activation confirmation identifiers from Microsoft, it can distribute
those IDs back to the computers that originally requested activation. The term for this process
is MAK Proxy Activation, described previously.

The VAMT stores activation confirmation identifiers in a database called a collection. Because
these identifiers are stored locally, you can perform operating system reactivation without being
required to initiate a new connection between the computer hosting the VAMT and Microsoft.
This allows organizations to reimage computers without the concern of consuming an additional
activation on an existing MAK key. You can use the Volume Activation Management Tool to
transition client computers between MAK and KMS volume activation if necessary.

To use MAK Proxy Activation, perform the following general steps:

  1. Install the VAMT on a computer on the isolated network and the VAMT on a computer
    that is located on a network connected to the Internet. For the purposes of this explanation,
    the computer on the isolated network is VAMT-Isolated and the computer on
    the connected network is VAMT-Connected.
  2. Create a computer group named Isolated Computers on VAMT-Isolated. Use the VAMT
    discovery process to discover the identity of the computers on the isolated network.
  3. Add the MAK key to the VAMT on computer VAMT-Isolated. Right-click the Isolated
    Computers group on VAMT-Isolated and then choose the MAK Proxy Activate option.
    Make sure of the following:
    ■ The Get Confirmation ID From Microsoft check box is not enabled.
    ■ The Apply Confirmation ID And Activate check box is not enabled.
  4. When VAMT finishes assigning the MAK keys on the isolated network, save the collection
    file on VAMT-Isolated, and then transfer and import the collection file to the
    VAMT-Connected computer. This action populates the VAMT on VAMT-Connected
    with the Isolated Computers group.
  5. On the VAMT-Connected computer, right-click the Isolated Computers group and then
    choose MAK Proxy Activate. Make sure of the following:
    ■ The Get Confirmation ID From Microsoft check box is selected.
    ■ The Install MAK (Overwrite Existing) check box is not selected.
    ■ The Apply Confirmation ID And Activate check box is not selected.
  6. VAMT on VAMT-Connected now interacts with the Microsoft servers and procures
    confirmation identifiers.
  7. After the confirmation IDs have been obtained from the Microsoft servers, export
    the collection with a new name. Transfer this file to the VAMT-Isolated computer and
    import the file.
  8. After you import the file, save the file in a secure location such as a removable flash
    device placed in a safe. This allows you to perform reactivation if it is necessary to
    reimage hosts on the isolated network.
  9. On VAMT-Isolated, select the Isolated Computers group and choose MAK Proxy Activate.
    Make sure of the following:
    ■ The Apply Confirmation ID And Activate check box is selected.
    ■ The Get Confirmation ID From Microsoft check box is not selected.
    ■ The Install MAK (Overwrite Existing) check box is not selected.
  10. VAMT assigns the confirmation identifiers to computers on the isolated network,
    activating them.

You can configure VAMT clients on an Active Directory computer account, a stand-alone
workgroup membership, a fully qualified domain name, or an IP address, as shown in Figure 2-1.
The tool also allows you to see the current licensing state of clients on your network, allowing
you to determine whether your organization is compliant with the number of purchased licenses.

image

FIGURE 2-1 Volume Activation Management Tool

You can also use the VAMT to activate a large number of computers that are located on a
network connected to the Internet. The name for this process is MAK Independent Activation.
When you perform MAK Independent Activation, the VAMT installs the MAK key on a group
of selected computers and then prompts those computers to undergo the activation process
on Microsoft activation servers.

image

Key Management Service

 

Key Management Service (KMS) allows you to place an activation server on the local area network.
Rather than activate on the Microsoft activation servers on the Internet, clients activate
on the KMS server on the LAN. Clients locate KMS servers using DNS. Because KMS provides
activation servers, you should not expose a KMS server to hosts on the Internet by allowing
direct access from the Internet. You can also configure clients to use a specific KMS server by
using the VAMT. Computers running the Windows 7, Windows Vista, Windows Server 2008,
Windows Server 2008 R2, and Windows Server 2003 operating system can function as KMS
servers. When you configure a computer running Windows Server 2008 R2 as a KMS server,
you can activate both server and client operating systems. When you configure a computer
running the Windows 7 operating system as a KMS server, it is able to activate only computers
running Windows client operating systems.

A certain number of clients must contact a KMS server before the KMS activation can
occur. This number is the KMS activation threshold. Clients activating on the KMS server
can be running in a traditional hardware deployment or as virtual hosts. The KMS activation
threshold differs between clients and servers and is as follows:
■ The KMS client threshold is 25 Windows clients.
■ The KMS server threshold is five servers.

When a new client or server contacts the KMS server, the server increments the activation
count by one. Clients do not activate until the activation count reaches the threshold value.
Clients contact the KMS server every two hours until the activation threshold is reached or the
activation grace period expires. After the activation count on the KMS server exceeds 5, any
servers that contact or have contacted the KMS server successfully activate. After the activation
count on the KMS server exceeds a value of 25, clients that contact or have contacted the server
successfully activate.

To configure a host to function as a KMS server, perform the following steps:

  1. Install the KMS key on the computer that will function as the KMS server. This computer
    can be running the Windows 7 operating system, although this means that it is able
    to activate only Windows client operating systems and is unable to activate Windows
    server operating systems.
  2. Activate the computer that you installed the KMS key on with Microsoft over the
    Internet or by using the telephone. After activation is complete, the computer functions
    as a KMS server.

Each KMS key can be installed on up to six computers that will function as KMS servers.
Each KMS server can be reactivated up to nine times with Microsoft, should it be necessary. If
your organization needs more than six KMS servers, you must contact a Microsoft Licensing
representative to enable additional activations for the organization’s KMS key. For example, if
your organization has 12 separate sites covered by a single Volume Licensing agreement and
a KMS server is to be placed at each site, you need to enable additional activations for the
organization’s KMS key.

After a KMS client has been activated, it tries to reconnect with the KMS server every
7 days but must reconnect with the KMS server at least once every 180 days. If the client
is unable to reconnect with the KMS server in 180 days, it enters a reduced functionality
mode. Each time a KMS client successfully connects with a KMS server, the 180-day activation
countdown timer is reset.

image

Software Licensing Management Tool

 

The software licensing management tool is a command-line utility that you can use to manually
manage licensing. The tool uses the slmgr.vbs script. Unlike VAMT, which you must obtain
and install manually, slmgr.vbs is included in a default installation of the Windows 7 operating
system. The slmgr.vbs script is usually run locally from an elevated command prompt. You can
also use it to manage licensing on computers configured for remote management. You can
configure the slmgr.vbs command to perform the following tasks:
■ Install and remove product keys from hosts.
■ Display current host licensing information including current license expiration date.
■ Force a host to undergo the activation process.
■ Configure a client to use a KMS server and specify the address of the KMS server.
■ Extend the evaluation period by 30 days up to three times.

image

Lesson Summary

 

■ MAK keys and KMS can be used only with editions of Windows 7 that support volume
licensing. Only the Windows 7 Professional and Enterprise editions support this type of
licensing.
■ A KMS server requires 25 clients before it can function. A client must check in with the
KMS server every 180 days.
■ You can use the VAMT to perform MAK proxy activation.
■ You add the MAK key to an operating system image using Sysprep during the configuration
pass.

Lesson Review

 

You can use the following questions to test your knowledge of the information in Lesson 1,
“Designing and Managing a Licensing Strategy.” The questions are also available on the
companion CD if you prefer to review them in electronic form.

image

  1. You need to deploy the Windows 7 operating system to 10 computers that are located
    on a network isolated from the Internet. These computers have been custom-built using
    hardware purchased from different vendors. These 10 computers are the only hosts
    on this network. These computers have the Windows 7 Enterprise operating system
    installed. Which of the following components should you deploy in your solution?
    A. Retail key
    B. MAK key
    C. OEM key
    D. KMS server
  2. Your organization has an isolated network with one computer running the Windows
    Server 2008 R2 operating system. This server is configured as a KMS server and uses
    KMS for activation. How many clients running the Windows 7 Enterprise edition operating
    system must you add to this isolated network before clients can successfully
    activate using the KMS server?
    A. 4
    B. 9
    C. 24
    D. 29
  3. Which of the following methods can you use to activate 15 clients using a MAK when
    they are on a network isolated from the Internet? (Choose all that apply; each answer
    forms a complete solution.)
    A. MAK Independent Activation
    B. MAK Proxy Activation
    C. KMS
    D. Telephone activation
  4. You are using Sysprep to prepare a Windows 7 Enterprise image for deployment. During
    which Sysprep configuration pass do you add the MAK key?
    A. auditUser
    B. Generalize
    C. Specialize
    D. auditSystem
  5. Which of the following editions of Windows 7 support volume licensing? (Choose all
    that apply; each answer forms a complete solution.)
    A. Enterprise
    B. Ultimate
    C. Professional
    D. Home Premium