Windows Vista MIT

1
Windows Vista _at_MIT
Windows Vista Activation _at_MIT
And Windows Vista for WIN.MIT.EDU
2
Windows Vista _at_MIT

• Vista Enterprise Activation on the MIT Campus
• An overview of MITs Vista Activation services
• Windows Vista in the WIN.MIT.EDU domain
• An overview of WIN.MIT.EDUs implementation of
  Windows Vista

Richard Edelson Network Infrastructure Services
Team Information Services Technology
3
Windows Vista Enterprise Activation

• VA 1.0 Volume Activation 1.0
• User enters a Volume Key to install the software
• Requires Volume Media
• Volume Media of Windows XP does not require
  activation.
• Volume Media of Office XP, 2003 and 2007 do not
  require activation.
• VA 2.0 Volume Activation 2.0
• Vista Enterprise Volume Media does not require
  any key for installation. Must be activated
  within 30 days of installation.
• Activation can take place automatically without
  the distribution of a key using a KMS server.
• Windows Longhorn server will also require
  activation similar to Windows Vista.

4
Why is Microsoft introducing Volume Activation?

• Software piracy is an industry problem
• Billions of dollars of lost software license
  revenue per year.
• Challenges in managing software assets
• Requires combination of education (guidance on
  how to protect software), engineering (software
  and anti-counterfeiting technologies) and
  enforcement (support from government/law
  officials)
• VL software is a major source of pirated
  Microsoft software
• 40 of Windows is pirated 46 of pirated Windows
  is from leaked VL keys
• Thousands of VL keys provided to customers have
  leaked
• Re-keying happens and it is very cumbersome
• Microsoft is building Enterprise-class solutions
  open to industry partners
• Volume Activation 2.0 is a new solution being
  introduced with Windows Vista
• Volume Activation 3.0 will have improved tools
  and asset management

5
VA 2.0 Activation Methods

• MAK - Multiple Activation Key
• One product key can activate a specific number of
  computers. Each activation results in depletion
  of the activation pool. MAKs are activation
  keys, they are not used to install Windows but
  rather to activate it after installation.
• There are two ways to activate computers using
  MAK
• MAK Proxy Activation Is a solution that enables
  a centralized activation request on behalf of
  multiple desktops with one connection to
  Microsoft.
• MAK Independent Activation Requires that each
  desktop independently connect and activate
  against Microsoft
• KMS - Key Management Service
• KMS enables organizations to perform local
  activations for computers in a managed
  environment without connecting to Microsoft
  individually. A KMS Key is used to enable the Key
  Management Service on servers controlled by the
  organization. KMS is targeted for larger
  environments where computers are consistently
  connected to the organizations network either
  directly or via a VPN.

6
VA 2.0 Activation _at_MIT KMS

• Why did we choose KMS?
• Unlike MAK, KMS activation services do not impose
  a hard limit when activation counts are
  depleted. Additional hosts can still activate
  Windows.
• With MAK, if the counts are depleted, nobody at
  MIT would be able to activate a new computer
  until we called Microsoft and purchased more
  licenses.
• Unlike MAK, KMS activation services allow unused
  activations to expire, therefore refreshing the
  activation pool. An activation expires if the
  host has not contacted a KMS server in over 180
  days.
• KMS services allow end users to reinstall Windows
  without risk of depleting the activation pool.
• KMS allows machines with properly configured DNS
  settings to auto-activate, without user
  intervention. This is useful for environments
  where the end user does not have administrative
  access to the workstation. This makes the
  activation process nearly transparent.

7
How Does KMS work?

• A KMS server is activated using a special KMS key
  via an online activation with Microsoft. This key
  may be activated 6 times.
• A KMS server requires a minimum of 25 Vista
  clients in its pool to begin activating client
  machines. Virtual machines can also be activated,
  but they do not contribute to the pool count.
• By default, all volume editions of Windows Vista
  install as KMS clients. Volume edition Vista
  clients will automatically try to locate and
  activate from a KMS server without the use a
  product key. Client computers locate the KMS
  server via SRV records in DNS, or by using
  connection information specified in the registry.
• Clients that are not activated attempt to connect
  with the KMS host every two hours. A new
  installation must be activated within 30 days or
  it will enter Reduced Functionality Mode.
• KMS Clients must renew their activation by
  connecting to the KMS host at least once every
  180 days to stay activated. Once activated, the
  client computers attempt to renew their
  activation every seven days. If the client cannot
  renew its activation, it will retry every two
  hours.
• KMS SRV records must exist in the DNS zone the
  client is using. If a DNS subdomain is used, SRV
  records must also exist in that subdomain.
  Contact network_at_mit.edu if you need assistance
  determining the proper SRV records for your
  subdomain.
• Some private subnets at MIT may need to be added
  to an IP ACL to gain access to MIT KMS servers.
  Contact network_at_mit.edu for such access requests.

8
KMS Activation
MIT Campus network
One time KMS server activation with Microsoft
Vista Clients
Access to MIT KMS services is restricted to
campus use
KMS Servers
MIT VPN
SRV Records in DNS
VPN Clients
Clients query their system primary DNS zone found
in the System Control Panel for KMS server
records, then poll a KMS server for activation.
9
Reduced Functionality Mode

• After installation and the conclusion of the 30
  day grace period, product activation is required.
  Failure to activate results in Windows being
  placed in Reduced Functionality Mode (RFM). There
  is no start menu, no desktop icons, and the
  desktop background is changed to black. After
  one hour, the system will log the user out
  without warning. The computer is not shut down,
  and the user can log back in. This is different
  from the Windows XP RFM experience, which limited
  screen resolution, colors, sounds and other
  features.
• Once a copy of Windows Vista has moved into RFM,
  the user will be presented the four options at
  their next logon (pictured on the right).
• Users on Campus or connected via the MIT VPN that
  have never activated their computer within 30
  days should click Activate Windows online now.
  The same is true for users who had activated but
  exceeded the 210 day (180 days plus 30 days grace
  period) activation expiration without being
  connected to MITs network.
• By clicking Access your computer with reduced
  functionality, the default Web browser is
  started and the user is presented with an option
  to purchase a new product key. The Web browser
  will function fully and Internet connectivity
  will not be blocked.
• The Retype your product key option is not used
  for machines activating with a KMS server.
• If no Internet connection is detected, the user
  can click Show me other ways to activate to use
  telephone activation. This option will not be
  active if an Internet connection is present on
  the system.

10
Configuring clients for activation

• If your machine is configured to use MITnet DHCP
  services, the activation should occur
  automatically within the first three days. The
  DHCP lease contains the correct configuration
  information needed to activate. This is also true
  if you are using an MIT wireless network.
• If your computer is a member of the WIN.MIT.EDU
  domain no configuration is necessary.
• Determining if your computer has already been
  activated
• Open the System Control Panel. In the Windows
  activation section, Windows is activated will
  appear below if the computer has already
  activated.
• If you still need to activate Configure Vista
  with the correct Primary Domain Suffix
• Open the System Control Panel. In the "Computer
  name, domain, and work group settings" section,
  click Change settings. Click on the Change
  button, then click the More button. Set the
  primary DNS suffix for this computer to
  MIT.EDU. Click OK and close the open windows.
  Reboot your computer and you should be activated.
• Using the MIT VPN
• If Vista is not yet activated, follow the steps
  above to setup the Primary Domain Suffix. Then
  reconnect to the VPN after the reboot.

11
Maintenance of machines activated via the VPN

• Your computer needs to reactivate at least once
  in 180 days.
• After 180 days, if the computer has not
  reactivated, it will go enter a 30 day grace
  period. After the 30 day grace period the machine
  will go into reduced functionality mode.
• If your machine is a laptop, it is recommended
  that you periodically boot it while on the MIT
  network. Then the system will communicate with
  the KMS servers automatically. This is
  recommended for any user, but especially for
  those who do not have administrative rights.
• To determine how many days are left until you
  need to reactivate
• Open a command window
• If the UAC is on From the start button, select
  All Program, then accessories. Right click on the
  Command Prompt icon and select, Run as
  Administrator.
• If the UAC is off, simply open a command window
  from a user session with administrative
  privileges.
• Within the command window run the following
• cscript windir\system32\slmgr.vbs xpr
• How to manually reactivate
• From a command window which has been launched
  (see above), run the following
• cscript windir\system32\slmgr.vbs ato
• More information can be found at
  http//itinfo.mit.edu/product.php?vid735

12
Non-Genuine Volume keys

• If either a Volume Activation 2.0 customer or
  Microsoft detects that a KMS key or a MAK has
  been misused, after discussions between the
  customer and Microsoft, the product key can be
  marked as invalid for activation and as
  non-Genuine.
• When a volume edition client visits Microsoft Web
  sites requiring Genuine Validation, it will have
  to download and run either an ActiveX control or
  a small .exe application to access the download.
  If the computer is configured with an invalid key
  or tampered files are detected, the computer will
  fail Genuine Validation. The user will be
  notified by a watermark on the desktop and
  periodic notifications to validate the Genuine
  status of the system by visiting a Microsoft Web
  site. In addition, the computer may be placed in
  a 30-day non-Genuine grace period during which it
  needs to be configured with a new product key or
  reinstalled if tampered files are detected.
• For computers activated with an invalid KMS key,
  the KMS server must first be activated with a new
  KMS key. KMS clients will then reactivate
  themselves after contacting the reconfigured KMS
  host. In both scenarios, computers that have
  downloaded the Genuine Advantage ActiveX control
  must also visit the Genuine Advantage Web site to
  change their Genuine status from non-Genuine to
  Genuine after being activated with a new product
  key.
• If a new product key has not been installed and
  activated, and the status has not changed during
  the 30-day non-Genuine grace period, the computer
  will start in non-Genuine RFM. In RFM, a user
  will only have options to access Web sites using
  their browser for an hour, before being logged
  off by the system.

13
Windows Vista in the WIN.MIT.EDU domain

• Roaming profiles
• Folder redirection
• Software deployment
• Laptop support
• Printing

14
Roaming profiles

• Vista roaming profiles are not compatible with XP
  profiles. Microsoft added code in Vista to create
  a new profile directory in the users home
  directory with a .V2 extension
• XP H\.winprofile
• Vista H\.winprofile.V2
• Each profile has its own desktop folder e.g.,
  XPs is H\.winprofile\desktop
• Desktop-Sync In order to preserve consistency of
  the desktop files and shortcuts for users logging
  into both XP and Vista machines, WIN.MIT.EDU
  synchronizes the desktop folders of both profiles
  when a user logs on
• Files saved to an XP desktop will appear on the
  Vista desktop.
• Files saved to a Vista desktop will appear on the
  XP desktop.
• If a file is updated on one of the desktops, the
  other desktop will receive the updated version at
  the next user logon regardless of which OS they
  logon to.
• A cached roaming profile may only be deleted via
  the system control panel. If the files are
  deleted manually, the roaming profile will fail
  to load.
• Upgrades If a machine is upgraded to Vista, the
  upgraded cached copy of a roaming profile should
  be copied to a new folder via the system control
  panel and not used (more about this in the folder
  redirection topic).
• A local logon should be used for the upgrade and
  immediately after the upgrade to rename the old
  cached profile.
• Upgraded versions of non-roaming profiles can be
  preserved and do not need to be modified.

15
Folder redirection XP

• By default, all users and machines use both
  roaming profiles and folder redirection.
• Computers download the default user profile from
  a DFS share.
• For the Windows XP environment, WIN.MIT.EDU
  redirects the following folders
• Application Data H\WinData\Application Data
• My Documents HOMESHARE\WinData\My Documents
• My Pictures HOMESHARE\WinData\My Documents\My
  Pictures
• Favorites HOMESHARE\WinData\Favorites
• HOMESHARE is the location of the users home
  directory as specified by the user account
  properties in Active Directory. These properties
  are managed by Moira and can be modified via the
  change profile options webform.
• Machines opted into the disconnected operations
  laptop policy mapped H to their local user
  profile in C\Documents and Settings instead of
  the users DFS home directory. These machines do
  not use roaming profiles.
• Users who used the change profile options webform
  to set their account to local profiles and no
  folder redirection see similar behavior to those
  who use machines covered under the laptop policy.

16
Folder redirection Vista

• By default, all users and machines use both
  roaming profiles and folder redirection.
• Computers download the default user profile from
  a DFS share.
• For the Windows Vista environment, WIN.MIT.EDU
  redirects the following folders
• AppData(Roaming) HOMESHARE\WinData\Application
  Data
• Contacts HOMESHARE\WinData\My
  Documents\Contacts
• Documents HOMESHARE\WinData\My Documents
• Downloads HOMESHARE\WinData\My
  Documents\Downloads
• Music HOMESHARE\WinData\My Documents\My Music
• Videos HOMESHARE\WinData\My Documents\My
  Videos
• Pictures HOMESHARE\WinData\My Documents\My
  Pictures
• Saved Games HOMESHARE\WinData\My
  Documents\Saved Games
• Searches HOMESHARE\WinData\My
  Documents\Searches
• Favorites HOMESHARE\WinData\Favorites
• Links HOMESHARE\WinData\Favorites\Links
• The redirected paths for Vista were chosen in
  such a way as to preserve the continuity of user
  experience from XP.

17
User Files Directory View in Vista

• The users files folder is a programmatically
  merged view of the local cached profile and the
  redirected folders.
• Its possible to view duplicate entries if a
  directory exists in each location.
• We reported this to Microsoft, but action was
  taken to remediate the issue.
• We implemented our own workaround to the user
  file view issue
• The default domain Vista roaming profile which is
  the source for the cached profiles has the
  folders which are redirected removed.
• Users in the domain who use a local profile
  either on a desktop by opting out of roaming
  profiles or using a computer opted into
  disconnected operation (laptop policy) have the
  removed directories recreated at logon when the
  profile is first created.
• New logon scripts include logic to detect whether
  the user is roaming or not and create the
  directories if they do not exist.

18
Software deployment

• McAfee Virus Scan
• Using the opt-in webform, machines running VS
  8.0i is deployed to machines running XP and
  version 8.5i is deployed to Windows Vista
  clients.
• This is due to McAfees reinstall requirements
  for machines running 8.5i upgrading to Vista
• OpenAFS for Windows
• Using the opt-in webform, machines running
  version 1.3.84 is deployed to machines running XP
  and version 1.5.11 is deployed to Windows Vista
  clients.
• UAC is off by default to support KfW 2.6.5
• This will change when a future release of KfW
  supports MSLSA interoperability on Vista.
• KLP/LPng Windows printing clients
• These packages are not deployed to Windows Vista
  clients. They do not work on Vista and IST has
  stopped development on these products.

19
Laptop support

• Vista laptops are supported in a similar way to
  how they are supported under Windows XP.
• One difference is that the H drive no longer
  needs to be mapped to the local user profile.
  Therefore there is no longer a dependency on the
  H drive. This drive may still appear if the
  laptop is upgraded from XP.
• If the machine is connected to the MIT network at
  logon, the users DFS home directory will get
  mapped as H
• New VPN client
• There is a newer VPN client required for Vista,
  now on the MIT software download page.
• MIT had worked with Microsoft so that users of a
  trusted cross-realm MIT Kerberos realm did not
  have to enter a UPN (username_at_REALMNAME) when
  doing a cached logon. This fix was added to XP SP
  2.
• This code was not added to Windows Vista, so
  currently a UPN is required. We have a open case
  with Microsoft to have these Kerberos regressions
  implemented.