Evaluate Client Connectivity

On This Page

Core Network
Isolated Networks
Disconnected Individual Computers
Test and Development Labs

Each Volume Activation method is best suited to a particular network configuration. To select the best activation method or methods for the organization, assess the network environment to identify how different groups of computers connect to the network. Connectivity to the corporate network, Internet access, and the number of computers that regularly connect to the corporate network are some of the important configuration characteristics to identify. Most medium- to large-sized organizations use a combination of activation methods because of the varied ways their client computers connect to the networks.

KMS is the recommended activation method for computers that are well connected to the organization’s core network or that have periodic connectivity, such as computers that are offsite. MAK is the recommended activation method for computers that are offsite with limited connectivity or that cannot connect to the core network because of security restrictions. These include computers in lab and development environments that are isolated from the core network.

Table 1 lists common network configurations and the best practice recommendations for each configuration. Each solution factors in the number computers and network connectivity of the activation clients.

Table 1   Planning Considerations by Network Infrastructure

Network Infrastructure

Recommendations

Considerations

Core network

Well-connected local area network (LAN)

Most common scenario

If total computers > KMS activation threshold:

  • Small (<100 machines): KMS host = 1

  • Medium (>100 machines): KMS host ≥ 1

  • Enterprise: KMS host > 1

If total computers ≤ KMS activation threshold:

  • MAK (by telephone or Internet)

  • MAK Proxy

  • Minimize the number of KMS hosts

  • Each KMS host must consistently maintain a count of total machines > KMS activation threshold

  • KMS hosts are autonomous

  • KMS host is activated by telephone or Internet

Isolated network

Branch office, high-security network segments, perimeter networks

Well-connected zoned LAN

If ports on firewalls can be opened between KMS clients and hosts:

  • Use KMS hosts in core network

If policy prevents firewall modification:

  • Use local KMS hosts in an isolated network

  • MAK (by telephone or Internet)

  • MAK Proxy

  • Firewall configuration

    • RPC over TCP (TCP port 1688)

    • Initiated by the client

  • Change management on firewall rule sets

Test or development lab

Isolated network

If total computers > KMS activation threshold:

  • KMS host = 1 (per isolated network)

If total computers ≤ KMS activation threshold:

  • No activation (reset grace period)

  • MAK (by telephone)

  • MAK Proxy performed manually

  • Variable configuration

  • Limited number of computers

  • KMS host and MAK activation through telephone; MAK Proxy performed manually

Individual disconnected computer

No connectivity to the Internet or core network

Roaming computers that periodically connect to the core network or connect through a virtual private network (VPN)

Roaming computers with Internet access but no connection to the core network

For clients that connect periodically to the core network:

  • Use the KMS hosts in the core network

For clients that never connect to the core network or have no Internet access:

  • MAK (by telephone)

For networks that cannot connect to the core network:

  • If total computers > KMS activation threshold:

    1. Small: KMS host = 1

    2. Medium: KMS host ≥ 1

    3. Enterprise: KMS host > 1

  • If total computers ≤ KMS activation threshold, MAK Independent or MAK Proxy performed manually

For clients that never connect to the core network but have Internet access:

  • MAK (by Internet)

  • Restricted environments or networks that cannot connect to other networks

  • KMS host can be activated, moved to disconnected network

  • KMS host and MAK activation by telephone; MAK Proxy performed manually

The following sections describe examples of Volume Activation solutions in heterogeneous corporate environments that require more than one activation method. Each scenario has a recommended activation solution, but some environments may have infrastructure or policy requirements that are best suited to a different solution.

Core Network

A centralized KMS solution is recommended for computers on the core network. This solution is for networks that have well-connected computers on multiple network segments that also have a connection to the Internet. Figure 2 shows a core network with a KMS host.

Figure 2   Core network scenario

Figure 2   Core network scenario

Note   A KMS host can be installed on a virtual machine, but select a virtual machine that is unlikely to be moved to a different host computer. If the virtual KMS host is moved to a different host computer, the operating system detects the change in the underlying hardware, and the KMS host must reactivate with Microsoft. KMS hosts can activate with Microsoft up to nine times.

Isolated Networks

Many organizations have networks that are separated into multiple security zones. Some networks have a high-security zone that is isolated because it has sensitive information, while other networks are separated from the core network because they are in a different physical location (such as branch office locations).

High-Security Zone

High-security zones are network segments that are separated by a firewall that limits communication to and from other networks segments. If the computers in a high-security zone are allowed access to the core network by allowing TCP port 1688 outbound from the high-security zone and an RPC reply inbound, activate computers in the high-security zone by using KMS hosts located in the core network. This way, the number of client computers in the high-security network does not have to meet any KMS activation threshold.

If these firewall exceptions are not authorized and the number of total computers in the high-security zone is sufficient to meet KMS activation thresholds, add a local KMS host to the high-security zone. Then, activate the KMS host in the high-security zone by telephone.

Figure 3 shows an environment that has a corporate security policy that does not allow traffic between computers in the high-security zone and the core network. Because the high-security zone has enough computers to meet the KMS activation threshold, the high-security zone has its own local KMS host. The KMS host itself is activated by telephone.

Figure 3   High-security network scenario

Figure 3   High-security network scenario

If KMS is not appropriate because there are only a few computers in the high-security zone, MAK Independent activation is recommended. Each computer can be activated independently with Microsoft by telephone.

MAK Proxy activation by using VAMT is also possible in this scenario. Because the computers in the high-security zone do not have Internet access, VAMT can discover them by using AD DS, computer name, IP address, or membership in a workgroup. VAMT uses Windows Management Instrumentation (WMI) to install MAK product keys and CIDs and to retrieve status on MAK clients. Because this traffic is not allowed through the firewall, there must be a local VAMT host in the high-security zone.

Branch Office Locations

Figure 4   Branch office scenario

Figure 4 shows an enterprise network that supports client computers in three branch offices. Site A uses a local KMS host, because it has more than 25 client computers, and it does not have secure TCP/IP connectivity to the core network. Site B uses MAK activation, because KMS does not support sites with fewer than 25 KMS client computers, and the site is not connected by a secure link to the core network. Site C uses KMS, because it is connected to the core network by a secure connection over a private wide area network (WAN), and activation thresholds are met by using core network KMS clients.

Figure 4   Branch office scenario

Disconnected Individual Computers

Some users in an organization may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers of salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection or an intermittent connection to the core network.

Disconnected computers can use KMS or MAK depending on how often the computers connect to the core network. Use KMS activation for computers that connect to the core network—directly or through a VPN—at least once every 180 days and where the core network is using KMS activation. Use MAK Independent activation—by telephone or the Internet—for computers that rarely or never connect to the core network. Figure 5 shows disconnected clients that are using MAK Independent activation through the Internet and the telephone.

Figure 5   Disconnected computers scenario

Figure 5   Disconnected computers scenario

Test and Development Labs

Lab environments usually have large numbers of virtual machines, and computers in labs are reconfigured frequently. Determine whether the computers in test and development labs need activation. The initial 30-day grace period of a computer that is running Windows 7 or Windows Server 2008 R2 can be reset three times without activating it. Therefore, if you are rebuilding lab computers within 120 days, these computers need not be activated.

If lab computers do require activation, use KMS or MAK activation. Use KMS activation if the computers have connectivity to a core network that is using KMS. If the number of computers in the lab meets the KMS activation threshold, deploy a local KMS host.

In labs that have a high turnover of computers as well as a small number of KMS clients, it is important to monitor the KMS activation count to maintain a sufficient number of cached CMIDs on the KMS host. A KMS host caches activation requests from computers for 30 days. (See the section “Minimum Computer Requirements” earlier in this guide for more information about how CMIDs affect activations.) If the lab environment needs activation but does not qualify for KMS activation, use MAK activation. MAK clients are activated by telephone or over the Internet, whichever is available to the lab.

MAK Proxy activation with VAMT can also be used in this scenario. Install VAMT in the isolated lab network and also in a network that has access to the Internet. In the isolated lab, VAMT performs discovery, obtains status, installs a MAK product key, and obtains the IID of each computer in the lab. This information can then be exported from VAMT, saved to removable media, and then the file can be imported to a computer that is running VAMT and has access to the Internet. VAMT sends the IIDs to Microsoft and obtains the corresponding CIDs that are needed to complete activation. After exporting this data to removable media, take it to the isolated lab to import the CIDs so that VAMT can complete the activations.

Note   In High Security mode, VAMT removes all personally identifiable information (PII) from the file that it exports. This file is a readable Extensible Markup Language (XML) file that can be reviewed in any XML or text editor.