In my travels recently (which explains the paucity of blog entries) I have noticed a lot of organizations seem to be struggling with Microsoft’s Key Management Services (KMS). Today I’ll briefly cover the technology and how it can help your business.

What is it?

Microsoft KMS is a service that companies who have volume licensing agreements for their Microsoft Products can activate installed copies of their software.

What’s covered?

As of this writing, KMS covers all volume licensing editions of Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 7, and Office 2010.

What are the benefits?

KMS makes it possible to deploy and activate the products listed above WITHOUT DISTRIBUTING YOUR LICENSE KEYS TO ANYONE. Think about it – by using KMS you no longer have to build unattended installations with your license keys in the answer files, or give your license keys out to your IT team responsible for deploying software.

Another benefit is that after a set period of time (by default 6 months) if a computer cannot contact the KMS server the software is “deactivated”. This is useful for laptops that are popular theft items.

How does it work?

Every computer running Windows Server 2008, 2008R2, Windows Vista, or Windows 7 has the ability to become a KMS server. Additionally there’s an add-on for Windows Server 2003 that does the same thing. For Office 2010 activations there’s a small installation program available from Microsoft that will add support to an existing KMS server, however this can only be run on a KMS server running on Windows 2003, Windows Server 2008 R2, or Windows 7.

When you turn on KMS  server it publishes an SRV record to DNS with the server name and port (default is 1688). The record name is _vlmcs, and there is one per domain. The volume licensing editions of the products listed above are setup to use KMS by default. They will attempt to contact the KMS server listed in the SRV record and request an activation. By default they try every 2 hours until they are activated, and then they check in once per week. If they cannot contact the KMS server during the one week period (such as a laptop used by a travelling sales rep) no problem – it stays activated until six months have elapsed.

The protocol is designed to be very lightweight and resilient. You can have multiple KMS servers, but keep in mind that there are minimum thresholds of unique activation requests that must be received before KMS will activate. If you have a big network you may consider multiple KMS servers by site, but to do that you need to run some script commands on each client to specify the KMS server to use.

What if the KMS server fails? With a default config it’s easy. Just delete the _vlmcs SRV record, install a new KMS server, and activations will switch to the new server over time.

Sounds easy – what’s the catch?

A few things. First, to activate a given product class, a minimum number of requests must be received. This is to prevent someone from installation a KMS server with your key at home, say a Windows Administrator who has your keys.

Once you reach those thresholds, at next check all copies will that particular product will activate. Note that you need 25 or 5 machines for Desktop OSs and Server OSs, respectively. It doesn’t matter what combination of OSs those machines are running.

Now there’s another catch that has caught many companies by surprise. When it comes to OSs (not the Office 2010 activations) KMS server will only activate products within the same product group or lower! So you want to install KMS on the highest level operating system you will run in your company. See the activation matrix at the end of this post.

Installing the KMS server is easy – simply activate the server installation with using the appropriate KMS product key for your company, available from the Microsoft Volume Licensing Center.

If you have machines that are not on your network at least every six months, you can activate that machine using retail codes or a MAK (multiple-activation key) that comes with your licensing agreement. MAK codes have an upper limit to the number of activations before you have to contact Microsoft. We think for medium and large organizations KMS will be the preferred choice, although MAK keys will certainly come in handy for special use cases such as laptops issued to telecommuters without VPN access to the KMS server.

There are a few other caveats to be aware of such as most of the administration of KMS happening through the use of Microsoft-supplied VBS files, but as you can see installing KMS can help ease the administration of license information in your organization and help ensure that your keys remain private and confidential. If you have further questions, feel free to sound off here. In addition, Walker IT Group, LLC offers KMS consulting services to help you determine the best use.

For more information you can review Microsoft’s Volume Activation section of TechNet Library.