Transcript Slide 1
Windows Vista @MIT And Windows Vista for WIN.MIT.EDU Windows Vista @MIT Vista Enterprise Activation on the MIT Campus An overview of MIT’s Vista Activation services Windows Vista in the WIN.MIT.EDU domain An overview of WIN.MIT.EDU’s implementation of Windows Vista Richard Edelson Network & Infrastructure Services Team Information Services & Technology Windows Vista Enterprise Activation VA 1.0 – Volume Activation 1.0: User enters a Volume Key to install the software Requires Volume Media Volume Media of Windows XP does not require activation. Volume Media of Office XP, 2003 and 2007 do not require activation. VA 2.0 – Volume Activation 2.0: Vista Enterprise Volume Media does not require any key for installation. Must be activated within 30 days of installation. Activation can take place automatically without the distribution of a key using a KMS server. Windows Longhorn server will also require activation similar to Windows Vista. Why is Microsoft introducing Volume Activation? Software piracy is an industry problem Challenges in managing software assets Requires combination of education (guidance on how to protect software), engineering (software and anti-counterfeiting technologies) and enforcement (support from government/law officials) VL software is a major source of pirated Microsoft software Billions of dollars of lost software license revenue per year. 40% of Windows is pirated; 46% of pirated Windows is from leaked VL keys Thousands of VL keys provided to customers have leaked Re-keying happens and it is very cumbersome Microsoft is building Enterprise-class solutions open to industry partners Volume Activation 2.0 is a new solution being introduced with Windows Vista Volume Activation 3.0 will have improved tools and asset management VA 2.0 Activation Methods MAK - Multiple Activation Key One product key can activate a specific number of computers. Each activation results in depletion of the activation pool. MAK’s are activation keys, they are not used to install Windows but rather to activate it after installation. There are two ways to activate computers using MAK: MAK Proxy Activation: Is a solution that enables a centralized activation request on behalf of multiple desktops with one connection to Microsoft. MAK Independent Activation: Requires that each desktop independently connect and activate against Microsoft KMS - Key Management Service KMS enables organizations to perform local activations for computers in a managed environment without connecting to Microsoft individually. A KMS Key is used to enable the Key Management Service on servers controlled by the organization. KMS is targeted for larger environments where computers are consistently connected to the organization’s network either directly or via a VPN. VA 2.0 Activation @MIT: KMS Why did we choose KMS? Unlike MAK, KMS activation services do not impose a “hard limit” when activation counts are depleted. Additional hosts can still activate Windows. With MAK, if the counts are depleted, nobody at MIT would be able to activate a new computer until we called Microsoft and purchased more licenses. Unlike MAK, KMS activation services allow unused activations to expire, therefore refreshing the activation pool. An activation expires if the host has not contacted a KMS server in over 180 days. KMS services allow end users to reinstall Windows without risk of depleting the activation pool. KMS allows machines with properly configured DNS settings to auto-activate, without user intervention. This is useful for environments where the end user does not have administrative access to the workstation. This makes the activation process nearly transparent. How Does KMS work? A KMS server is activated using a special KMS key via an online activation with Microsoft. This key may be activated 6 times. A KMS server requires a minimum of 25 Vista clients in its pool to begin activating client machines. Virtual machines can also be activated, but they do not contribute to the pool count. By default, all volume editions of Windows Vista install as KMS clients. Volume edition Vista clients will automatically try to locate and activate from a KMS server without the use a product key. Client computers locate the KMS server via SRV records in DNS, or by using connection information specified in the registry. Clients that are not activated attempt to connect with the KMS host every two hours. A new installation must be activated within 30 days or it will enter Reduced Functionality Mode. KMS Clients must renew their activation by connecting to the KMS host at least once every 180 days to stay activated. Once activated, the client computers attempt to renew their activation every seven days. If the client cannot renew its activation, it will retry every two hours. KMS SRV records must exist in the DNS zone the client is using. If a DNS subdomain is used, SRV records must also exist in that subdomain. Contact [email protected] if you need assistance determining the proper SRV records for your subdomain. Some private subnets at MIT may need to be added to an IP ACL to gain access to MIT KMS servers. Contact [email protected] for such access requests. KMS Activation MIT Campus network One time KMS server activation with Microsoft Vista Clients Access to MIT KMS services is restricted to campus use Internet Microsoft KMS Hosting KMS Hosting Machine KMS Hosting Machine KMS Servers Machine Vista clients MIT VPN KMS Hosting KMS Hosting Machine KMS Hosting Machine SRV Records in DNS Machine VPN Clients Clients query their system primary DNS zone found in the System Control Panel for KMS server records, then poll a KMS server for activation. Reduced Functionality Mode After installation and the conclusion of the 30 day grace period, product activation is required. Failure to activate results in Windows being placed in Reduced Functionality Mode (RFM). There is no start menu, no desktop icons, and the desktop background is changed to black. After one hour, the system will log the user out without warning. The computer is not shut down, and the user can log back in. This is different from the Windows XP RFM experience, which limited screen resolution, colors, sounds and other features. Once a copy of Windows Vista has moved into RFM, the user will be presented the four options at their next logon (pictured on the right). Users on Campus or connected via the MIT VPN that have never activated their computer within 30 days should click “Activate Windows online now.” The same is true for users who had activated but exceeded the 210 day (180 days plus 30 days grace period) activation expiration without being connected to MIT’s network. By clicking “Access your computer with reduced functionality,” the default Web browser is started and the user is presented with an option to purchase a new product key. The Web browser will function fully and Internet connectivity will not be blocked. The” Retype your product key” option is not used for machines activating with a KMS server. If no Internet connection is detected, the user can click “Show me other ways to activate” to use telephone activation. This option will not be active if an Internet connection is present on the system. Configuring clients for activation If your machine is configured to use MITnet DHCP services, the activation should occur automatically within the first three days. The DHCP lease contains the correct configuration information needed to activate. This is also true if you are using an MIT wireless network. If your computer is a member of the WIN.MIT.EDU domain no configuration is necessary. Determining if your computer has already been activated: Open the System Control Panel. In the “Windows activation” section, “Windows is activated” will appear below if the computer has already activated. If you still need to activate: Configure Vista with the correct Primary Domain Suffix: Open the System Control Panel. In the "Computer name, domain, and work group settings" section, click Change settings. Click on the “Change” button, then click the “More” button. Set the “primary DNS suffix for this computer” to MIT.EDU. Click OK and close the open windows. Reboot your computer and you should be activated. Using the MIT VPN: If Vista is not yet activated, follow the steps above to setup the Primary Domain Suffix. Then reconnect to the VPN after the reboot. Maintenance of machines activated via the VPN Your computer needs to reactivate at least once in 180 days. After 180 days, if the computer has not reactivated, it will go enter a 30 day grace period. After the 30 day grace period the machine will go into reduced functionality mode. If your machine is a laptop, it is recommended that you periodically boot it while on the MIT network. Then the system will communicate with the KMS servers automatically. This is recommended for any user, but especially for those who do not have administrative rights. To determine how many days are left until you need to reactivate: Open a command window: If the UAC is on: From the start button, select All Program, then accessories. Right click on the “Command Prompt” icon and select, “Run as Administrator”. If the UAC is off, simply open a command window from a user session with administrative privileges. Within the command window run the following: cscript %windir%\system32\slmgr.vbs –xpr How to manually reactivate: From a command window which has been launched (see above), run the following: cscript %windir%\system32\slmgr.vbs –ato More information can be found at: http://itinfo.mit.edu/product.php?vid=735 Non-Genuine Volume keys If either a Volume Activation 2.0 customer or Microsoft detects that a KMS key or a MAK has been misused, after discussions between the customer and Microsoft, the product key can be marked as invalid for activation and as non-Genuine. When a volume edition client visits Microsoft Web sites requiring Genuine Validation, it will have to download and run either an ActiveX® control or a small .exe application to access the download. If the computer is configured with an invalid key or tampered files are detected, the computer will fail Genuine Validation. The user will be notified by a watermark on the desktop and periodic notifications to validate the Genuine status of the system by visiting a Microsoft Web site. In addition, the computer may be placed in a 30-day non-Genuine grace period during which it needs to be configured with a new product key or reinstalled if tampered files are detected. For computers activated with an invalid KMS key, the KMS server must first be activated with a new KMS key. KMS clients will then reactivate themselves after contacting the reconfigured KMS host. In both scenarios, computers that have downloaded the Genuine Advantage ActiveX control must also visit the Genuine Advantage Web site to change their Genuine status from non-Genuine to Genuine after being activated with a new product key. If a new product key has not been installed and activated, and the status has not changed during the 30-day non-Genuine grace period, the computer will start in non-Genuine RFM. In RFM, a user will only have options to access Web sites using their browser for an hour, before being logged off by the system. Windows Vista in the WIN.MIT.EDU domain Roaming profiles Folder redirection Software deployment Laptop support Printing Roaming profiles Vista roaming profiles are not compatible with XP profiles. Microsoft added code in Vista to create a new profile directory in the users home directory with a .V2 extension: XP: H:\.winprofile Vista: H:\.winprofile.V2 Each profile has its own desktop folder: e.g., XP’s is H:\.winprofile\desktop Desktop-Sync: In order to preserve consistency of the desktop files and shortcuts for users logging into both XP and Vista machines, WIN.MIT.EDU synchronizes the desktop folders of both profiles when a user logs on: Files saved to an XP desktop will appear on the Vista desktop. Files saved to a Vista desktop will appear on the XP desktop. If a file is updated on one of the desktops, the other desktop will receive the updated version at the next user logon regardless of which OS they logon to. A cached roaming profile may only be deleted via the system control panel. If the files are deleted manually, the roaming profile will fail to load. Upgrades: If a machine is upgraded to Vista, the upgraded cached copy of a roaming profile should be copied to a new folder via the system control panel and not used (more about this in the folder redirection topic). A local logon should be used for the upgrade and immediately after the upgrade to rename the old cached profile. Upgraded versions of non-roaming profiles can be preserved and do not need to be modified. Folder redirection: XP By default, all users and machines use both roaming profiles and folder redirection. Computers download the default user profile from a DFS share. For the Windows XP environment, WIN.MIT.EDU redirects the following folders: Application Data = H:\WinData\Application Data My Documents = %HOMESHARE%\WinData\My Documents My Pictures = %HOMESHARE%\WinData\My Documents\My Pictures Favorites = %HOMESHARE%\WinData\Favorites %HOMESHARE% is the location of the users home directory as specified by the user account properties in Active Directory. These properties are managed by Moira and can be modified via the change profile options webform. Machines opted into the disconnected operations laptop policy mapped H: to their local user profile in C:\Documents and Settings instead of the users DFS home directory. These machines do not use roaming profiles. Users who used the change profile options webform to set their account to local profiles and no folder redirection see similar behavior to those who use machines covered under the laptop policy. Folder redirection: Vista By default, all users and machines use both roaming profiles and folder redirection. Computers download the default user profile from a DFS share. For the Windows Vista environment, WIN.MIT.EDU redirects the following folders: AppData(Roaming) = %HOMESHARE%\WinData\Application Data Contacts = %HOMESHARE%\WinData\My Documents\Contacts Documents = %HOMESHARE%\WinData\My Documents Downloads = %HOMESHARE%\WinData\My Documents\Downloads Music = %HOMESHARE%\WinData\My Documents\My Music Videos = %HOMESHARE%\WinData\My Documents\My Videos Pictures = %HOMESHARE%\WinData\My Documents\My Pictures Saved Games = %HOMESHARE%\WinData\My Documents\Saved Games Searches = %HOMESHARE%\WinData\My Documents\Searches Favorites = %HOMESHARE%\WinData\Favorites Links = %HOMESHARE%\WinData\Favorites\Links The redirected paths for Vista were chosen in such a way as to preserve the continuity of user experience from XP. Both XP and Vista share the same My Documents and Favorites folder. Documents don’t exist in two locations. User Files Directory View in Vista The user’s files folder is a programmatically merged view of the local cached profile and the redirected folders. It’s possible to view duplicate entries if a directory exists in each location. We reported this to Microsoft, but action was taken to remediate the issue. We implemented our own workaround to the user file view issue: The default domain Vista roaming profile which is the source for the cached profiles has the folders which are redirected removed. Users in the domain who use a local profile either on a desktop by opting out of roaming profiles or using a computer opted into disconnected operation (laptop policy) have the removed directories recreated at logon when the profile is first created. New logon scripts include logic to detect whether the user is roaming or not and create the directories if they do not exist. Software deployment McAfee Virus Scan: Using the opt-in webform, machines running VS 8.0i is deployed to machines running XP and version 8.5i is deployed to Windows Vista clients. OpenAFS for Windows: Using the opt-in webform, machines running version 1.3.84 is deployed to machines running XP and version 1.5.11 is deployed to Windows Vista clients. UAC is off by default to support KfW 2.6.5 This is due to McAfee’s reinstall requirements for machines running 8.5i upgrading to Vista This will change when a future release of KfW supports MSLSA interoperability on Vista. KLP/LPng Windows printing clients: These packages are not deployed to Windows Vista clients. They do not work on Vista and IS&T has stopped development on these products. Laptop support Vista laptops are supported in a similar way to how they are supported under Windows XP. One difference is that the H: drive no longer needs to be mapped to the local user profile. Therefore there is no longer a dependency on the H: drive. This drive may still appear if the laptop is upgraded from XP. If the machine is connected to the MIT network at logon, the users DFS home directory will get mapped as H: New VPN client: There is a newer VPN client required for Vista, now on the MIT software download page. MIT had worked with Microsoft so that users of a trusted cross-realm MIT Kerberos realm did not have to enter a “UPN” (username@REALMNAME) when doing a cached logon. This fix was added to XP SP 2. This code was not added to Windows Vista, so currently a UPN is required. We have a open case with Microsoft to have these Kerberos regressions implemented.