none
VAMT - Volume Activation Management Tool

    Question

  • I have searched through the forum, and cannot find a single mention of VAMT. There are a few posts about MAK and KMS, but precious few. Is anyone out there using VAMT yet?

    I have spent several hours on VAMT so far, and would like to share some findings (most of which are undocumented); hopefully they prove useful to others. I also have some questions!

    Before I start, I should say I am using "Volume Activation Management Tool v1.1", running on Windows Server 2003 (Standard Edition Service Pack 2), and have 2 MAK keys (1 for Server 2008 and 1 for Vista Clients).


    1) VAMT does not work through a Proxy Server which requires basic authentication; Microsoft provides 3 workarounds, the first of which is to use Telephone Activation! What kind of suggestion is that for an Enterprise-level tool? To compound the problem, the error message provided (when, for example, checking the number of remaining MAK activations) is useless and stupid:
    **********************************************************
    Unexpected Error
    ----------------
    An unexpected error has occurred
    The following information was found for this error:
    Code: 0x8004FE33
    Description: Unable to find a detailed error description.
    The facility code is: ITF (0x04)
    Facility error: 0xFE33 (65075L)
    **********************************************************

    Starting to sound like a rant, and I'm only on my first point...
    It is possible you will get a more meaningful error message if you are running VAMT on Windows Server 2008. Anyway, watch out for problems with a proxy server.


    2) A Firewall on the Client, either the built-in Windows Firewall or a third-party Firewall, will most likely block an incoming VAMT connection. [In this context, a Client includes Windows 2008 Servers as well as Vista Clients.] VAMT uses WMI to communicate with Clients. WMI uses RPC/DCOM, and it needs to connect to TCP/135 on the Client. Normally 2 connections are established by VAMT, so I guess this is an asynchronous WMI operation?

    Once the connection to TCP/135 is established, a third connection is then opened:
    For example: C:\>netstat -ano | find "1.2.5.6"
      TCP    1.2.3.4:2866       1.2.5.6:135        ESTABLISHED     808
      TCP    1.2.3.4:2867       1.2.5.6:135        ESTABLISHED     808
      TCP    1.2.3.4:2868       1.2.5.6:49156      ESTABLISHED     6544

    In this example, the 2 Windows Processes are:
      PID 808   svchost.exe running as NETWORK SERVICE
      PID 6544  VAMT.exe running as <logged-on-user>

    My question is, what is the Port Range used for this third connection? We have allowed the range 49152-49157 (through trial-and-error testing), but I cannot find any documentation to help. And in summary, watch out for Client Firewalls blocking VAMT.
     

    3) I had a Windows Server 2008 machine which had exceeded its activation period (aka grace period). In this state, VAMT completely failed to activate the 2008 machine. Can VAMT not activate/licence an OS whose grace time has expired?
    The solution I found to work was: reset the activation period on the Client by running "slmgr.vbs /rearm"; VAMT was then able to activate it.


    4) If I "refresh computer status", any computer which cannot be contacted is shown with a yellow alert and activation state of <not available>. My issue is, an activated and licenced computer which is not currently connected to the network, changes from a nice green tick to a nasty yellow alert. Which plays complete havoc with trying to manage licences. Surely this doesn't make sense?


    5) We have an Ubuntu "Hardy Heron" workstation, joined to our Active Directory. For some reason VAMT has detected it and added it to the list. I can guess that it detected the high OS version number. So in VAMT, I have a workstation with an OS version of 8.04; surely VAMT should not be detecting any Microsoft OS which is not Vista or Server 2008, never mind a Linux-based workstation?


    6) Finally, my last point - and this is a partial rant. With the hours I have now spent on VAMT, and the likelihood that many more hours will be spent in the future administering VAMT, my question is: what have I, or my company, gained? The answer is, absolutely nothing. The new requirement to activate Servers, for a company with a Volume Licensing Agreement, is purely an additional burden and additional cost. Nothing so far has made implementing VAMT easy, and it is clear that VAMT is less-than-polished software. Are there plans to improve the current system?


    Sorry for the long post!
    Andy

    Wednesday, May 21, 2008 2:25 PM

Answers

  • Hello Andy,

    1)  The issues with Basic Authentication for VAMT should be similar to what is referenced in article http://support.microsoft.com/kb/921471/ .  Checking to see what updates need to be added to this article help answer some of this issue
    0x8004FE33 HTTP_STATUS_PROXY_AUTH_REQ.
    as explained here: http://support.microsoft.com/kb/931276.
    The VAMT Error code lookup system relies on the OS installed hence, in the help file under Troubleshooting the VAMT it states:
    "Note: Some errors will only translate if the VAMT is installed on a Windows Vista or Windows Server 2008 computer.".
    We use winhttp when talking to the VAMT we service which uses IE procxy settings be default.  When the proxy server requires authentication, VAMT doesn't have a UI to prompt for user name and passwork to authenticate.

     2) Firewall client configuration is discussed in detail in the VAMT.CHM topic "Configure Client Computers". From the CHM file:
    "In certain scenarios, only a limited set of Transmission Control Protocol/Internet Protocol (TCP/IP) ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on Remote Procedure Call (RPC) over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
    For more information about how to configure RPC dynamic port allocation to work with firewalls: http://support.microsoft.com/kb/154596 "

    3)This should work when the machine is in it's grace period, do you have any more details on the error messaging or output from one of the machines failing when in grace expiration I would like to see that.  You should not have to rearm for this to work.  Do you have machine in this state again please let me know so we can collect some information.  slmgr -dlv output from the client for example, event log messages

    4) VAMT Icon changes from "Green" to "Yellow", this is how it's supposed to work as when you choose to refresh status of a computer and fail to get status, VAMT does cannot determine the latest licensing status of the machine. The icon changes color because the last operation failed (refresh status of a computer). However, the License Status, Grace expiration date should not change unless you have obtained status sucessfully from the computer.

    5) The filter that VAMT uses to query Microsoft Active Directory is for computers with an OS version > 6.0. This was done to speed up AD queries in domains with many computer objects. In future versions, we are considering enhancing how computers are located in AD.

    6) For Windows Server 2008, if the environment scan support KMS (Key Management Service) then it might be an easier option, for more information see http://www.microsoft.com/technet/volumeactivation/
    Thanks
    Darrell Gorter [MSFT]


    Thanks, Darrell Gorter[MSFT] This posting is provided "AS IS" with no warranties, and confers no rights
    Sunday, June 01, 2008 1:13 AM

All replies

  • I guess from the lack of response (or maybe just lack of interest Smile that VAMT does not feature heavily in your job descriptions. At least, not at the moment.

    I want to add another question (or rant) to my original post:

     

    7) If you choose to "Add Computers" to an existing computer group, and just let VAMT search your Active Directory, it picks up all Server 2008 and Vista Clients. BUT, the licence status (or license status if you must) for ALL existing computers in the group, changes from whatever it was before, eg. "Licensed", to "<not available>". So my carefully managed Computer Information List is completely wrecked in one swift move.

     

    You can then refresh the computer status for all computers, but any that are not currently connected to the network will remain with a status of "<not available>". Where is the logic to this?

    Monday, May 26, 2008 9:12 AM
  • Hello Andy,

    1)  The issues with Basic Authentication for VAMT should be similar to what is referenced in article http://support.microsoft.com/kb/921471/ .  Checking to see what updates need to be added to this article help answer some of this issue
    0x8004FE33 HTTP_STATUS_PROXY_AUTH_REQ.
    as explained here: http://support.microsoft.com/kb/931276.
    The VAMT Error code lookup system relies on the OS installed hence, in the help file under Troubleshooting the VAMT it states:
    "Note: Some errors will only translate if the VAMT is installed on a Windows Vista or Windows Server 2008 computer.".
    We use winhttp when talking to the VAMT we service which uses IE procxy settings be default.  When the proxy server requires authentication, VAMT doesn't have a UI to prompt for user name and passwork to authenticate.

     2) Firewall client configuration is discussed in detail in the VAMT.CHM topic "Configure Client Computers". From the CHM file:
    "In certain scenarios, only a limited set of Transmission Control Protocol/Internet Protocol (TCP/IP) ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on Remote Procedure Call (RPC) over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
    For more information about how to configure RPC dynamic port allocation to work with firewalls: http://support.microsoft.com/kb/154596 "

    3)This should work when the machine is in it's grace period, do you have any more details on the error messaging or output from one of the machines failing when in grace expiration I would like to see that.  You should not have to rearm for this to work.  Do you have machine in this state again please let me know so we can collect some information.  slmgr -dlv output from the client for example, event log messages

    4) VAMT Icon changes from "Green" to "Yellow", this is how it's supposed to work as when you choose to refresh status of a computer and fail to get status, VAMT does cannot determine the latest licensing status of the machine. The icon changes color because the last operation failed (refresh status of a computer). However, the License Status, Grace expiration date should not change unless you have obtained status sucessfully from the computer.

    5) The filter that VAMT uses to query Microsoft Active Directory is for computers with an OS version > 6.0. This was done to speed up AD queries in domains with many computer objects. In future versions, we are considering enhancing how computers are located in AD.

    6) For Windows Server 2008, if the environment scan support KMS (Key Management Service) then it might be an easier option, for more information see http://www.microsoft.com/technet/volumeactivation/
    Thanks
    Darrell Gorter [MSFT]


    Thanks, Darrell Gorter[MSFT] This posting is provided "AS IS" with no warranties, and confers no rights
    Sunday, June 01, 2008 1:13 AM
  • Hello Andy,
    As for number 7
    7) Adding computers to an existing group does not reset the license status of existing computers in that group.  If you refresh the licensing status of a computer in an existing group, VAMT tries to update the license status of that computer, but if the computer is offline, it can’t find the current license status, so it displays <not available> in that case.

     If you have crafted a CIL (list of computers) and saved it into a CIL file, then the file doesn’t get overwritten unless the you chooses to do so. So if a you tries to refresh the status and then doesn’t like what you see, you don’t have to save the CIL. The original CIL is still there in case they want to start from that point for a future VAMT run.

    Thanks
    Darrell Gorter [MSFT]

    This posting is provided "AS IS" with no warranties, and confers no rights


    Thanks, Darrell Gorter[MSFT] This posting is provided "AS IS" with no warranties, and confers no rights
    Monday, June 02, 2008 5:46 PM
  • Hi Darrell,

    Many thanks for taking the time to answer my questions. I could discuss each of your responses in detail, but that would be a little churlish! Overall you have answered all of my points. I still stand by my assertion that the documentation is not 100% clear, and that the software itself is less-than-polished.

    I accept your point about a CIL file only being updated when saved, so my Computer Information List is only wrecked if I choose to save the recent changes.

    With regards item (3), I did originally save "slmgr -dlv" output; unfortunately I have since deleted the file  :(
    If I come across the situation again, I'll post full details.

    However, the main idea behind my post was to provide a starting point for future discussions on VAMT, as I am sure it will become a bigger issue once Enterprises start to roll out Server 2008.

    Thanks again,
    Andy

    Wednesday, June 11, 2008 4:03 PM
  • I too am having issues with VAMT.

    I have installed on a W2K8 machine that I was able to do an MAK Independent license assignment, however I do NOT have the MAK Proxy Activate option available?? 

    My other machine are not internet attached so I have to use the MAK proxy option.

    Thanks
    Friday, February 06, 2009 6:09 PM
  • I too agree with your assessment. As a IT manager for a multimillion dollar company, and a Microsoft partner, I see NO BENEFIT whatsoever to the end user/client with this new volume activation requirement. The benefit is strictly to Microsoft, who wish to reduce the piracy of their volume licensed products.

    I find it absolutely dumb that you can’t activate Vista or Win7 clients via KMS until you reach 25! What about companies that roll out workstations via attrition. It could take a year to get to 25. How am I supposed to get my machines to keep rolling when you only give me days to activate?

    VAMT is a joke too. Microsoft doesn’t even give me as many activations on MAK keys as the number of licenses we own, and to be frank, I find it insulting I have to call MS and beg for the activations I outright own.

    I know you are trying to cut down on piracy, but this is costing you business. I just had to deploy a server to run basic smtp just to relay mail. I also had to deploy a file server and another server to handle faxing. You think any of them are running Windows now? Ubuntu baby!

    As a Microsoft partner, when a client says this is a royal pain in the butt and asks what the benefit is to them, what are we supposed to say?

    You want to cut down on the piracy of volume licensed products? How about you hold the companies that lose their keys financially responsible as opposed to punishing us all!

     

    Monday, December 21, 2009 6:43 PM
  • ZackinMA, I think you've fallen in to the same trap I just did - the keys that you buy are installed on the KMS Server, not the clients:

    Once you have added the product key, go back to the computers list, right-click on the machine(s) you want to activate and choose "Install Product Key" then pick the "Install a KMS Client Key" radio button (the default is "select a product key" but that will only let you pick HOST keys (which go on the KMS Servers) and not the CLIENT keys). After a few seconds installing the product key, it should report that it has successfully installed the key. Again, right-click on the client(s) you want to activate and choose Activate > KMS Activate. Choose whether to use DNS to discover the KMS Server or specify the server to activate from and click OK. It *should* then activate successfully

    I use Server 2008R2 with VAMT2 so apologies if things are a little different for me

    Friday, December 03, 2010 11:53 AM