Remove From My Forums

setup KMS server and restrict KMS activation to 1 office only

Question
0

Sign in to vote
hi

we have offices in the US, UK and India.

each office purchases their own MS licensing as they are all separate financial entities and also because of the size of our company MS told us this is how we had to do things (and even if this has changed now we are not going to change it as our finance people quite like this arrangement)

i like to setup a KMS server for office 2010 activation for our citrix xendesktops, i have tried using MAK keys but for some reason i have to keep re-entering this and citrix support suggested setting up a KMS server.

i am fine building out a KMS server but i need to ensure that only the citrix xendesktops and other UK devices use this KMS server for their licensing. I do not want and of the US or india computers to use this KMS server.

is there a simple way of achieving this (Restricting the use of KMS server to a particulare country/office?

All our offices are connected via VPN or MPLS links and we have 1 Active Directory domain. is it possibly to restrict this per Organisational Unit or per AD site or....

many thanks
- Moved by James Xiong Monday, June 18, 2012 2:17 AM Setup Deployment Related Issue (From:General)
Friday, June 15, 2012 3:33 PM

Answers

0

Sign in to vote
No. KMS publishes the record in DNS so that devices in the domain query DNS to get the SRV record and then activates. Perhaps... do not publish DNS record for KMS and on the client manually configure client to point to KMS server by name, CNAME etc.

slmgr.vbs /skms KMSServerName

My question is why does it matter? Why difference does it make if client from office hits KMS, why create redundant services? The mechanism is there to keep track of count, do you have more than 5 servers or more than 25 workstations.... does track the activations themselves for auditing for example.
Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
- Proposed as answer by Meinolf Weber Sunday, June 17, 2012 5:06 PM
- Marked as answer by James Xiong Thursday, June 21, 2012 1:03 AM
Friday, June 15, 2012 5:35 PM
0

Sign in to vote
setup a kms server for office 2010 only based on this document

http://forums.citrix.com/thread.jspa?threadID=273186

changed the main pvs disk image for office licensing to KMS server (left windows 7 licensing as MAK)

also changed 4 other physical laptops to use KMS licensing for office 2010 and this is now working fine.

no more licensing activaiton issues when PVS spins of a new windows 7 desktop

regards
- Proposed as answer by Yagmoth555MVP Monday, June 18, 2012 1:50 PM
- Marked as answer by James Xiong Thursday, June 21, 2012 1:03 AM
Monday, June 18, 2012 11:33 AM

All replies

0

Sign in to vote
No. KMS publishes the record in DNS so that devices in the domain query DNS to get the SRV record and then activates. Perhaps... do not publish DNS record for KMS and on the client manually configure client to point to KMS server by name, CNAME etc.

slmgr.vbs /skms KMSServerName

My question is why does it matter? Why difference does it make if client from office hits KMS, why create redundant services? The mechanism is there to keep track of count, do you have more than 5 servers or more than 25 workstations.... does track the activations themselves for auditing for example.
Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
- Proposed as answer by Meinolf Weber Sunday, June 17, 2012 5:06 PM
- Marked as answer by James Xiong Thursday, June 21, 2012 1:03 AM
Friday, June 15, 2012 5:35 PM
0

Sign in to vote

Like Dave told, I would make the host record on the DNS the xendesktop use. I think you can make computer ACL on those record (as your pooled group must be using the same name)

A side note, using a golden image is not supported with KMS activation. So the DNS way is your way out of that problem. (If the vDisk is used in Standard Image Mode, subsequent client machines will boot from of the vDisk normally. At boot-up, and periodically thereafter, each client re-activates with the KMS server. Any updated activation data is discarded at shutdown when the write-back cache is purged. However, testing has shown that the re-activations are done in the background and have no noticeable user or performance impact.) (CTX124106)

If the problem persist, I am not sure you should post on citrix forum or there, as it's a problem that rise because of the PVS.

MCP | MCTS 70-236: Exchange Server 2007, Configuring

Friday, June 15, 2012 7:40 PM
0

Sign in to vote

My question is why does it matter? Why difference does it make if client from office hits KMS, why create redundant services? The mechanism is there to keep track of count, do you have more than 5 servers or more than 25 workstations.... does track the activations themselves for auditing for example

i think it matters licenses are assigned to devices (manually via MAK currently but hopefully by KMS in future) using the licenses purchased for that particular office (that is what MS licensing told us to do) so if i setup a KMS server for the UK office (for citrix xendesktops and other workstations in that office) i don't really want US or India users to be able to make use of the UK licenses.

i think that is a reasonable ask or not. isn't the KMS server once you have uploaded your office 2010 licenses limited to a certain number of activations? if yes than i run the risk of going over that certain number of activations if i cannot limit it to just 1 office location. or is there no limit activations? but then again you would not want to break MS licensing rules either by having US office 2010 installations activate themselves by using UK purchased office 2010 licenses

Friday, June 15, 2012 9:42 PM
0

Sign in to vote

Like Dave told, I would make the host record on the DNS the xendesktop use. I think you can make computer ACL on those record (as your pooled group must be using the same name)

A side note, using a golden image is not supported with KMS activation. So the DNS way is your way out of that problem. (If the vDisk is used in Standard Image Mode, subsequent client machines will boot from of the vDisk normally. At boot-up, and periodically thereafter, each client re-activates with the KMS server. Any updated activation data is discarded at shutdown when the write-back cache is purged. However, testing has shown that the re-activations are done in the background and have no noticeable user or performance impact.) (CTX124106)

If the problem persist, I am not sure you should post on citrix forum or there, as it's a problem that rise because of the PVS.

the citrix consultant who set up the vdisk suggested i setup a KMS server. for the first 18 months it worked fine with MAK activation but for some reason this no longer works and he suggested i use a KMS server instead

Friday, June 15, 2012 9:44 PM
0

Sign in to vote

KMS is really not a infrastructuraly robust service. Apparently the designers are not familiar with anything more complex than a simple corporate network. How hard would it have been to implement a group key to limit licenses to specific clients?

But anyway… you may want to look at using an IPSec policy to protect you KMS traffic and use group policies to distribute the configuration to license consumers. Then you can deploy KMS access the same way you apply GPOs

Here is a link to a TechNet article that explains how to do it. It’s not as complicated as it first looks.

"Using Server Isolation to Help Protect Key Management Service (KMS) Hosts"

http://technet.microsoft.com/en-us/library/cc723923.aspx

Jimmygrec

Friday, June 15, 2012 10:39 PM
0

Sign in to vote

The mechanism is there to keep track of count, do you have more than 5 servers or more than 25 workstations.... does track the activations themselves for auditing for example

No, it doesn't track activations, it only counts until the minimum threshold is reached and beyond that number it doesn't care.

i don't really want US or India users to be able to make use of the UK licenses.

it doesn't matter for license tracking. the number of client licenses a KMS has activated is immaterial, the actual permitted number is what you have paid for vs. what you have. not related to whose KMS activated whatever product.

i think that is a reasonable ask or not. isn't the KMS server once you have uploaded your office 2010 licenses limited to a certain number of activations? if yes than i run the risk of going over that certain number of activations if i cannot limit it to just 1 office location. or is there no limit activations? but then again you would not want to break MS licensing rules either by having US office 2010 installations activate themselves by using UK purchased office 2010 licenses

A KMS is not limited in activations at all, it is unlimited. if you install and activate the necessary KMShost productkeys, and minimum threshold is reached, that KMS will forever issue activations to an unlimited number of clients.
US or UK doesn't matter who paid for it as long as it was paid for :)
Don

Friday, June 15, 2012 11:59 PM
0

Sign in to vote
If it was working and now not, then it's a PVS problem.

Please see your VDISK setup in your Provisionning Server Console. You have to set it up to support MAK or KMS. Not both. If you updated the VDISK manually. Example, version 1.1 to version 1.2 without the "Check for update" option, then you loose all the MAK/KMS stored for those machine, you absolutly need to update the VDISK with that option to have such information follow.

So, I really suggest to check on citrix forum like I told you. Iam pretty sure it's a know issue.

MCP | MCTS 70-236: Exchange Server 2007, Configuring
- Edited by Yagmoth555MVP Sunday, June 17, 2012 2:39 AM
Sunday, June 17, 2012 2:37 AM
0

Sign in to vote
Hi,

If you would like to track the activations, I think you could use the Volume Activation Management Tool to manage. There is a link for your reference:

Title: Managing Activation Using the Volume Activation Management Tool (VAMT)
URL: http://technet.microsoft.com/en-us/library/ff686876.aspx

Regards,
James

James Xiong

TechNet Community Support
- Edited by James Xiong Monday, June 18, 2012 6:03 AM
Monday, June 18, 2012 6:03 AM
0

Sign in to vote

i have found various citrix forums with topics discussing this

pvs is enabled for mak licensing but i found this article which says mak licensing for the OS and use KMS for the office 2010 suite.

apparently citrix pulled some articles which described that mak for office 2010 was supported as they presumably discovered some bugs hence the intermittent issue (as in it used to work but no longer)

i will setup a kms server and enable it for office 2010 and test it out in my DR site and see if that works

will get started on the KMS server today and will let you know how it goes

Monday, June 18, 2012 8:22 AM
0

Sign in to vote
setup a kms server for office 2010 only based on this document

http://forums.citrix.com/thread.jspa?threadID=273186

changed the main pvs disk image for office licensing to KMS server (left windows 7 licensing as MAK)

also changed 4 other physical laptops to use KMS licensing for office 2010 and this is now working fine.

no more licensing activaiton issues when PVS spins of a new windows 7 desktop

regards
- Proposed as answer by Yagmoth555MVP Monday, June 18, 2012 1:50 PM
- Marked as answer by James Xiong Thursday, June 21, 2012 1:03 AM
Monday, June 18, 2012 11:33 AM
0

Sign in to vote

Licensing bring headache with the PVS, thats why I was sure it was a problem from there. If your setup come bigger you can go with remote app or xenapp for your office 2010, the count is easier to follow that way if you want to have 1 virtual machine image, but distributing office to only some people.
MCP | MCTS 70-236: Exchange Server 2007, Configuring

Monday, June 18, 2012 2:13 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

setup KMS server and restrict KMS activation to 1 office only

Question

Answers

All replies