mcs.ireland.blog/infrastructure

Event: Windows Server 2008 R2 Hyper-V Deep Dive

At TechDays for IT Pro’s 2009 ( http://www.microsoft.com/ireland/technet/techdays.aspx ) there will be some sessions on Windows 7 and Windows Server 2008 R2.

This will include some information and demonstrations on the new version of Hyper-V. However, due to time constraints, we won’t have time to get into the deep details of how and why things work.

Aidan Finn (C Infinity - http://www.cinfinity.ie ) will be talking about the new technologies that will be included as part of Hyper-V in Windows Server 2008 R2 and Hyper-V Server 2008 R2. This includes new functionality and improvements in performance thanks to cooperation between Microsoft and their hardware partners.

Dave Northey (Microsoft Ireland) will be doing some demonstrations of the technology in action, including the much anticipated Live Migration.

When?
30th April, 7.30am-10am. We’re going to try a morning session to give people an alternative time for the Windows User Group events.

Where?

Swift Suite 2, Radisson SAS Royal Hotel, Golden Lane, Dublin 8, Ireland.  Near St. Patrick's Cathedral.

Who's Speaking?

- Aidan Finn - http://joeelway.spaces.live.com and C Infinity http://www.cinfinity.ie
- Dave Northey - http://blogs.technet.com/ieitpro/

Registration

Invitations will be sent out to members of the Windows User Group Ireland.  Just follow the link in the invitation to register.  Please feel free to distribute this information and the URL for the event page: http://2008r2hyperv.events.live.com/

Cool stuff from Microsoft IT

Microsoft IT usually deals with all Microsoft products and Technologies before they get the street. Because we are early adopters we also have the opportunity to develop good administration practices and we like to share those practices with our customers and partners.

That's the main goal of Microsoft ITShowcase program.

ITShowcase has just published a new document that shows how Microsoft handles AD schema changes.

Microsoft IT Showcase is pleased to announce the publication of Structured Active Directory Schema Management at Microsoft, which discusses Microsoft IT's Active Directory schema change management process. 

Structured Active Directory Schema Management at Microsoft
Details Microsoft IT's Active Directory schema change management process. Schema changes are frequent at Microsoft, and require a structured workflow to ensure a consistent, smooth, and successful implementation. The change process that Microsoft IT institutionalized establishes clear standards, expectations, and timelines. The change process mitigates risks and helps to optimize results. The structured workflow normalizes schema changes. It provides clear responsibilities to all involved parties, eliminates schema change issues early in the process, and enables timely, optimized results.
Technical White Paper | IT Pro Webcast

Products & Technologies

· Windows Server 2003

· Windows Server 2008

· Active Directory

· Microsoft Identity Integration Server 2003 with SP1

· Microsoft Exchange Server 2007

To learn more about how Microsoft does IT, please visit us!

External:  www.microsoft.com/technet/itshowcase

By the way I'll post a new blog about the Limits of AD this time referencing the Maximum Kerberos Token Size.

Regards

MCS Ireland infrastructure team

ANNOUNCEMENT: Live Mesh Tech Preview expansion to Ireland (in English)

Live Mesh is a very cool new technology that Microsoft is developing and during the Tech Preview we want you guys to experience it (as users and by developing to the platform) and share your thoughts.

What’s Live Mesh?

Live Mesh, enables you to synchronize and access information and files across your different PCs and it also lets you remotely control your PC through your web browser if you’re away from it.

Future releases will be adding support for more devices including Windows Mobile phones and Macs amongst others.

Live Mesh takes the best elements of the desktop and integrating them with the Internet to create a really valuable solution to keeping and sharing information and files.

http://blogs.msdn.com/tomurphy/archive/2008/08/18/microsoft-releases-live-mesh-in-ireland.aspx

Live Mesh: More Slots Available, No Wait List

At Web 2.0 in April we announced Live Mesh and opened it up for people to try out our platform experience -- the first evidence of what scenarios our platform is capable of enabling.

We said we’d tell you more about Live Mesh and give you access to the platform in the future, allowing you to build your own experiences on top of Live Mesh. En route to opening up the developer platform we’ve been systematically updating and expanding the tech preview to help us scale out the underlying technology (see behind the mesh). We’ve enjoyed watching our service handling the load, and we want more!

Today we are again increasing the number of available slots in the Live Mesh Technology Preview, and expanding the list of countries that will allow sign-up without a wait list to include Canada, India and Ireland! (although you still need to run with an English locale for now.) This is in addition to the availability we’ve previously announced for USA, UK, Australia and New Zealand (see coverage map).

The experience you see today is just tip of the iceberg! To see what the Live Mesh platform is capable of, check out the Channel 9 videos, try out the user experience. We’re eager for you help to keep pushing our scale, and your feedback!

We do still have a maximum limit on the number of users we’ll allow into the Technology Preview, but as long as we’re below the limit, anyone in the countries above can sign-up today with no delays or wait list.

Regards

MCS Ireland infrastructure team

Two new events from Windows Server 2008 User Group Ireland

The Windows Server 2008 User Group Ireland (Aidan Finn) is organizing two cool events, as usual, please pass on the news to your colleagues and friends.

Hyper-V and Virtual Machine Manager 2008

"We will be running an event on Hyper-V and Virtual Machine Manager on 2nd September in Buswells Hotel in Dublin 2 at 7pm. The speakers will be Dave Northey and Mark Gibson from Microsoft Ireland and Aidan Finn (me) from C Infinity. Please accept this invitation if you wish to attend. Places are limited to 20."
When: 02 September 2008 at 19:00
Where: Buswells Hotel

Alex Yushchenko: Terminal Services

"I'm delighted to announce a special day-long event on Windows Server 2008 that is being sponsored and presented by Alex Yushchenko. The event will be hosted in the Guinness Storehouse on October 3rd and will run from 09:30 until 16:30. It will include lunch, free admission to the tour and a free drink in the upstairs “Gravity Bar”.

When: 03 October 2008 at 09:30
Where: Guinness Storehouse

Windows Vista Compatibility Center

This site has gone live recently - great resource to check the Vista compatibility status of hardware or software:

Windows Vista Compatibility Center

There's a lot (lot) more compatible devices/applications than some people might think.... if you're buying or deploying Vista then this site is a good resource for you.

Creating Mind Maps with Visio

I'm a heavy mind map user - in my experience you either don't use them at all, or you use them all the time.

If you fall into the latter camp, there are quite a few mind map tools on the market. What a lot of people don't know, myself included until last week, is that you can create them with Visio. The advantage I've found is that this enables you to have technical architecture diagrams plus mindmaps all in the same Visio file, it can be a great time saver and keeps all project documentation in one place.

http://www.microsoft.com/education/analyticalvisio.mspx has a short tutorial on how to do this - it uses Office 2003. I'm using Office 2007 and the functionality is the same plus has improvements.

Virtualisation - A few notes

The last week we had some interesting notes related with the Virtualisation topic that I thought it would be worth sharing.

First Microsoft IT Showcase has published its Guide to select loads candidates for virtualisation

Microsoft IT Showcase is pleased to announce the publication of Identifying Server Candidates for Virtualization, which discusses how Microsoft IT identified virtualization as one of the prime strategies to address the issues of server underutilization and data-center capacity.  Many thanks to Rich Baker,  Devin Murray and Dodd Willingham for their expertise, knowledge, and dedication in developing this comprehensive technical case study.

Identifying Server Candidates for Virtualization

Published: 06/17/2008
For several years, Microsoft IT was aware that the number of servers in its data centres was growing rapidly, while utilization of these servers was very low. Microsoft IT identified virtualization as one of the prime strategies to address the issues of server underutilizations and data-center capacity. This study describes how Microsoft IT developed the RightSizing initiative to identify servers that could be virtualized.
Technical Case Study

To learn more about how Microsoft does IT, please visit us!

External:  www.microsoft.com/technet/itshowcase

Second we've included System Center Virtual Machine Manager in the latest beta version for IPD - Infrastructure Planning and Design Guides - (www.microsoft.com/IPD)

RELEASE UPDATE

Infrastructure Planning and Design Guides

Beta Release Announcement

System Center Virtual Machine Manager, System Center Operations Manager, Internet Information Services,  Selecting the Right NAP Architecture

We are pleased to announce the  introduction our new Infrastructure Planning and Design guides (IPD).  We have added System Center Virtual Machine Manager and System Center Operations Manager as the first guides in our series for System Center.  We added the new Internet Information Services Guide to our Windows Server 2008 offerings and finally, we’ve released Selecting the Right NAP Architecture.

All of our released guides can be found in the download center. 

Infrastructure Planning and Design streamlines the planning process by:

· Defining the technical decision flow through the planning process.

· Listing the decisions to be made and the commonly available options and considerations.

Join the Beta for Future IPD Guides

Additional Infrastructure Planning and Design series guides are available as beta releases on the Connect Web site. These are open beta downloads. See below for instructions on how to access the beta guides.

To join the Infrastructure Planning and Design Beta, follow these steps:

1. Visit the Infrastructure Planning and Design Beta on the Microsoft Connect Web site.

2. Sign in using a valid Windows Live ID to continue to the Invitations page.

3. Scroll down to Infrastructure Planning and Design.

If you have not previously registered with Microsoft Connect, you might be required to register before continuing with the invitation process.

If the link in step 1 does not work for you, copy the link and paste it into the Web browser address bar.

Related Resources

System Center Operations Manager on Microsoft TechNet

System Center Operations Manager evaluation software on Microsoft TechNet

Internet Information Services Online (iis.net)

CIO's sharing their experieces

And last but not least a Webcast from CIO Insight - CIO Livecast Encore Presentation Is Online Now
"Virtualization: The Price & The Payoff" - Event URL: http://ciolivecast.stream57.com

Three CIOs discuss their experiences at various stages of Virtualization implementation:

1800Flowers.com – SVP & CIO, Steve Bozzo talks about the concerns that a $1 billion company doing well over half their business online has to consider before moving into Virtualization. With over 3,000 agents, 3 data centers and 700 servers, 1800Flowers’ Bozzo views virtualization as a business mandate that can’t be avoided.

Hudson Valley Bank – CIO, Howard Bruck sees massive benefits in the amount of control he now has over what used to be hundreds of scattered devices. Bruck talks about the steps that he’s taken over the last three years to optimize the bank’s processes by testing and deploying virtualization. Beginning with successful desktop virtualization, he sees virtualization as a holistic way of redoing the Windows environment.

Sesame Workshop – CIO, Noah Broadwater is balancing the media company’s massive data storage needs and server sprawl while containing costs at the non-profit home of the Muppets. Increasing the capacity of Sesame’s data centers would have been a multi-million dollar project but Broadwater found his answer with Open Source.

CIO Livecast is a complimentary event. Registration is required.

Hope you enjoy.

Regards

The MCS Infrastructure team @ Microsoft Ireland

ILM "2" Beta 3 is now available for download

ILM "2" Beta 3 has recently been posted for download on the connect website. This beta release is a major milestone in the release roadmap for the product and contains most of the features of the product that a lot of people have been waiting to get a play with. Crucially, you can download a full VPC demo image and start having a look at the product today!

Included in this beta release:

• ILM "2" Beta 3 package
• ILM "2" Beta 3 Release notes
• ILM "2" Beta 3 IT Pro documentation set
• ILM "2" Beta 3 SDK
• ILM "2" Beta 3 ready to use VPC

In this release you can work with:

• Workflow integration with Office and Outlook
• Self Service Password Reset
• Codeless user provisioning

The VPC image comes with a full lab and documentation set so you can work through the scenarios and get an understanding of how the new features can work in you environment and start delivering higher ROI and lower TCO

The timeline for ILM "2" is as follows:

• Release candidate: Q4 2008
• RTM Q1 2009

If you're interested in Identity Management I would strongly recommend that you subscribe to the program today, download the content, get the VPC image up and running and find out what everyone's talking about with ILM "2"

You can subscribe to the beta program at:

www.connect.microsoft.com

You can also join the beta newsgroup and subscribe to training Webcasts as and when they become available

More information on ILM 2 can be found at:

 http://www.microsoft.com/windowsserver/ilm2/default.mspx

Configuration Manager 2007 - 32-bit or 64-bit OS?

As I'm sure most of you are already aware, System Center Configuration Manager (SCCM) 2007 is a 32-bit application.

Installing SCCM SP1 on 64-bit Windows 2003 and 64-bit Windows Server 2008, is of course fully supported. However, given that SCCM is still a 32-bit application, performance will not be as great on 64-bit hardware as a native 64-bit application would be. Therefore the recommendation to ensure best results, is to install 32-bit versions of Windows Server even when working with 64-bit capable hardware.

The sole exception to the 32-bit OS rule is the SCCM site database server. As there are no SCCM components required and as SQL 2005 SP2 is available as a 64-bit application it makes sense to install this on a 64-bit OS for enhanced performance.

Traditionally, with SMS 2003, best practice was to utilise a local copy of SQL to host the SMS database on the primary site server. When SMS 2003 was released disk performance well exceeded that of the network. Today this is no longer the case. Additionally SCCM now makes considerable more use of the CPU. Based on these to facts using remote SQL for SCCM is now a viable option.

I took this approach recently on a large SCCM implementation with the following benefits -

1. Significantly increased SQL performance (x64 SQL + x64 Windows + x64 hardware)
2. Moving the database to a remote server reduces the processing load on the primary site server
3. I installed 2 instances of SQL -
• default instance = SCCM database
• named instance = WSUS database (host database for SCCM software update point)

PXE Boot Problems with Configuration Manager 2007

One of the most impressive features of System Center Configuration Manager (SCCM) 2007 is Operating System Deployment (OSD) which began life as a feature pack for SMS 2003. An integral component of OSD is a new site role in SCCM called the PXE service point that responds to PXE requests from computers that have been imported into SCCM database.

The PXE service point site role is used to initiate the operating system deployment process and must be configured to respond to PXE boot requests made by client computers. Installation of the PXE service point requires Windows Deployment Services (WDS) to be installed on the computer assigned to host the role.

SCCM effectively adds another provider on top of the existing WDS providers. The SCCM PXE service provider will process a request if there is a record for the device (MAC address or SMBIOS GUID) in the SSCM database. The request is serviced by SCCM, even is there is no current advertisement for the device, as long as it is in the database. If no client record is found in the SCCM database WDS will fall back to its default provider.

In theory this is simple enough and provides a great new way to deploy operating systems but I wish to share a few PXE boot problems that I observed on a recent deployment project and how to resolve them.

IMPORTANT - please bear in mind that these problems must be placed within the context of my customer's environment and the issues observed may not necessarily relate to the same root cause on another site.

To put the problems into the context of the customer's infrastructure -

• SCCM Infrastructure
  • SCCM 2007 SP1
  • Central / primary site server
  • Separate SQL server hosting SCCM database
  • Separate server hosting the PXE service point & state migration point
• Windows 2003 Active Directory
• Network
  • Centralised DHCP - Cisco Network Registrar
  • Cisco switches

Problem 1

PXE error = PXE-E32: TFTP open timeout

Issue = the PXE client was able to get a DHCP address and a boot file name, but timed out when attempting to download the boot file using TFTP or MTFTP

Cause = port security was enabled on the Cisco switch ports. Switch off port security to resolve.

Problem 2

PXE error = PXE-E3B: TFTP error - File not found

Issue = the requested file was not found on the TFTP server

Cause = DHCP option 67 (Bootfile Name) was not added to the DHCP scope options. Add option 67 to resolve.

Problem 3

PXE error = this problem is not really a PXE problem as the client successfully boots and the fails when trying to process the SCCM task sequence.

Issue = negotiation between the Cisco switch port and the client causes a timeout

Cause = PortFast is not enabled on the Cisco switch. Enable PortFast to resolve.

As an aside, the fix for a lot of PXE boot problems make reference to the fact that WDS should be installed but NOT configured in any way prior to installing the SCCM PXE service point - simply install WDS reboot, leave well alone and install the PXE service point. On my PXE service point server I created a small NTFS volume specifically to host WDS and so broke with convention by initialising WDS upon reboot to point the components to this particular drive. With the exception of the issues listed above, which are not WDS related, my PXE service point functions just fine!

OCS 2007 Enterprise Edition - Certificate & DNS Requirements

Having just deployed Office Communication Server (OCS) 2007 into a customer site, I thought I would share some of my experiences, specifically around DNS and Certificate requirements.

OCS Features Installed

• Audio & video conferencing
• Web conferencing
• NO federation or external user access

OCS Infrastructure Components

• Software - OCS OCS 2007 Enterprise Edition
• Hardware
  • 2 x Front End Servers - OCSSRV01 & OCSSRV02
  • 1 x SQL Back End SQL Server (clustered)
  • Load balancer

AD / Mail / Enterprise Pool

• Windows 2003 AD single forest / single domain
• Exchange 2007
• FQDNs
  • AD domain name = company.local
  • Mail domain name = company.com
  • OCS pool = ocspool.company.local

For the customer in question we deployed OCS 2007 Enterprise Edition in a consolidated topology. This creates an Enterprise pool and installs all Enterprise Edition components on each physical server in the pool. When you deploy an Enterprise pool, you install all the servers in the pool as well as the load balancer that distributes traffic to the servers in the pool. You also configure the DNS that enables servers and clients to automatically locate one another. Additionally, as was the case with this customer, other DNS records were required to allow automatic client sign in.

One other important consideration is to determine which SIP domains are to supported by OCS.

SIP domain refers to the host portion of the SIP URIs assigned to users. For example, if SIP URIs are of the form *@company.com, then company.com is the SIP domain. The SIP domain is often different from the internal Active Directory domain, as in the vast majority companies where the email domain name is different to the internal AD domain name.

In my example, I wish to enable users for OCS by using the user's email address to generate the SIP URI, therefore company.com is the preferred SIP domain. The following steps outline how to configure DNS to support this configuration.

Note - As there is currently NO requirement for federation or external user access we are only concerned with internal DNS at this stage.

Required DNS Records

• An internal DNS record that resolves the FQDN of the pool to the virtual IP address of the load balancer used by the Front End Servers in the pool
• An internal DNS record that resolves the internal Web farm FQDN from the pool to the virtual IP address of the load balancer used by the Web Components Servers in the pool

Required DNS Records for Automatic Client Sign In

• An internal DNS record that maps _sipinternaltls._tcp.<domain> the FQDN of the pool (for internal TLS connections - TCP can also be used but is not the preferred choice)

To place these requirements in the context of my example:

To configure the DNS records for both SIP domains do the following -

(Refer to http://technet.microsoft.com/en-us/library/bb663654(TechNet.10).aspx for detailed instructions)

In the forward lookup zone for company.local -

1. Create a DNS A record
• Name = ocspool
• FQDN = ocspool.company.local
• IP = <VIP address of load balancer>
2. Create a DNS SRV record
• Service = _sipinternaltls
• Protocol = _tcp
• Port number = 5061
• Host offering this service = ocspool.company.local

In the forward lookup zone for company.com -

1. Create a DNS A record
• Name = ocspool
• FQDN = ocspool.company.com
• IP = <VIP address of load balancer>
2. Create a DNS SRV record
• Service = _sipinternaltls
• Protocol = _tcp
• Port number = 5061
• Host offering this service = ocspool.company.com

The above steps assume that DNS has a primary zone for company.com has been created on the internal DNS server - if none exists create one as this will provide internal name resolution company.com SIP domain. Use nslookup to verify successful creation of the SRV records for both company.local and company.com

Certificate Creation & Assignment

OCS requires certificates on each Enterprise Edition server in order to use MTLS (TLS with mutual authentication) in order for the servers to communicate with one another. Additionally, each OCS client will need to trust the server certificate in order to use TLS as the connection method as has been configured in my example.

The OCS installation media provides a Certificate wizard as part of the setup steps to request and assign a certificates to Front End OCS servers. The wizard cannot be used to assign certificates to the Web Components server- this is done via the IIS certificate wizard.

Requesting and assigning certificates is straight forward enough and is documented in detail at the following links

http://technet.microsoft.com/en-us/library/bb663618(TechNet.10).aspx

http://technet.microsoft.com/en-us/library/bb663771(TechNet.10).aspx

The important part is knowing what to include on the certificate request, specifically what to specify as the certificate name and certificate subject alternative name(s), especially when dealing with and supporting multiple SIP domains.

To place this information within the context my example consider the following -

• FQDN OCS pool = ocspool.company.local
• FQDN OCS Front End Servers
• ocssrv01.company.local
• ocssrv02.company.local

To correctly request certificates for both front servers enter the following -

1. Certificate name = ocspool.company.local
2. Certificate subject alternative names include -
• DNS Name=sip.company.local
• DNS Name=sip.company.com
• DNS Name=ocspool.company.com
• DNS Name=ocssrv01.company.local or ocssrv02.company.local

Today’s the day for the second Springboard Live! virtual roundtable: The topic? Windows Vista Security

Let’s talk Windows Vista security begins 17:00 GMT. Microsoft Technical Fellow and desktop guru Mark Russinovich will again be hosting a live, interactive Springboard Series virtual roundtable—this time on the topic of Windows Vista security.

As with the March roundtable on deployment, Microsoft will be taking questions from those tuning in for the live event. Questions can also be submitted in advance by e-mailing vrtable@microsoft.com.

Tell them to visit https://ms.istreamplanet.com/springboard and register for the June 18^th event today!

For those who can’t tune in at 17:00, the roundtable will also be available on demand at https://ms.istreamplanet.com/springboard shortly after the conclusion of the live event.

Windows Vista Deployment - Part 4 - End User Experience

One of the most important things of a Windows Vista deployment is managing change. The end users will at the end of the day have a new operating system with a massive amount of new features they will have to discover in order to take full advantage of the productivity increases they bring. But how do you communicate this to the user and when? This is an excellent question to be asking yourself, luckily Microsoft provide a great tool to do this.

This tool is called the Enterprise Learning Framework, it is free online  and basically focuses on 4 areas:

The tool has the ability to target the content for different type of employees and different times within the deployment. The following table shows the different choices you can make.

Depending on the audience the tool defines how the topics are assigned to different time frames, for example something a user would see a week before deployment is probably something that support engineer needs to know a month before. Below is a table of the choices of content and topics you can get for the preferred audience. You can choose them all in the tool.

After you've selected your audience and the type of content that you want to see you can further filter the recommended topics by scenarios for employees in certain situations like: Topics apply to everyone, Collaborate with others, Attend meetings and give presentations, Travel and work from home, Have accessibility needs, Often help others. You can also filter by type of hardware!

After you've selected the type of communication you can refine it further by applying different filters like "only tips & tricks" and different categories

Now comes the fun part, the results. From these you can create customized emails with the appropriate content and appropriate moment, get highly recommended topics or create word documents for distribution in your enterprise.

From this place you can check the actual link that is being provided to the user or create the html e-mail, if you are using IE7 for this task, please follow these instructions:

Click Create HTML E-mail or Create Text E-mail to generate a template e-mail message.

Note   The current version of the ELF tool is limited to creating template e-mail messages on computers on which Microsoft Office Outlook® is installed. The Windows Internet Explorer® Pop-up Blocker should be set to Disabled. Otherwise, the user may not be able to view items such as the e-mail help page. Also, the Internet browser security settings must be adjusted so the Initialize and script ActiveX controls not marked as safe option is set to Prompt. If this setting has not been configured and the user selects Create HTML E-mail or Create Text E-mail, an information window such as that shown in shown in Figure 13 appears, prompting the user to follow the proper configuration procedure.

It is also recommended that you read the documentation as part of the Microsoft Deployment Toolkit 2008 called Enterprise Learning Framework User Guide.doc

That is it for the Enterprise Learning Framework.

Part 5 - Supporting infrastructure is coming up next.

Using Key Management Services (KMS) Across Domains

In some environments it may be necessary to implement Key Management Services (KMS) activation across domains. An example of this can be illustrated by the requirements of a recent project that I was working on.

The customer in question is in the process of consolidating a number of legacy domains into a new pristine AD domain - trust relationships exist between the domains. This migration will take a considerable amount of time given both the size of the customer's infrastructure and the requirement to consolidate / migrate complex back office systems and applications.

Concurrently, a large scale Vista deployment project is also underway aimed at base-lining the client infrastructure on a common desktop. Where possible and for the most part newly deployed Vista clients are being deployed into the new domain however, due to reliance on and access to critical back office applications which still reside in the legacy domains, there is also a requirement to redeploy some Vista clients back to their legacy domains.

Bearing these requirements in mind, it was still desirable to configure a single domain for KMS activation - preferably the new domain - given that over time the legacy domains will be decommissioned. Thus configuring KMS activation across domains becomes the logical choice.

Network considerations - by default the client computers connect to the KMS host for activation using anonymous Remote Procedure Calls over TCP, using TCP port 1688. So you will need to ensure that this port is opened in the firewall configurations between the remote sites. Note - this port number can be changed.

DNS SRV records - by default and when dynamic DNS (DDNS) is supported in the environment,  KMS hosts automatically publish their existence by creating service (SRV) resource records in the DNS server and only the DNS domain that the KMS host belongs to is registered in an SRV record.

So if you have only one DNS domain in your network environment, no further action is required.

But if you have more than one DNS domain name, as it is with this customer's legacy domains, you can create a list of DNS domains for a KMS host to use when publishing its SRV record.  This can be done by setting a specific registry value on the KMS host -

1. Log on to a KMS host.
2. Open an elevated command prompt. To do this, click Start , click All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator.
3. At the command prompt, type Regedit.exe and then press Enter.
4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL.
5. In the tree pane, click SL. Right-click in the details pane, point to New, and then click Multi-String Value.
6. Type DnsDomainPublishList as the name for the new value, and then press Enter.
7. Right-click the new DnsDomainPublishList value, and then click Modify.
8. In the Edit Multi-String dialog box, type each DNS domain suffix that KMS should publish to on a separate line. When you are finished, click OK.
9. Restart the Software Licensing Service using the Service application. The SRV records are then created.

However, if DDNS is not supported in the different DNS environments, or if you want to have a manual control of the KMS publishing, an administrator can also create manually the SRV record that publishes the availability of a KMS host. Manually created SRV records can coexist with SRV records that are auto-published by KMS hosts in other domains as long as all records are maintained to prevent conflicts. Here is the procedure in order to create the SRV record in the legacy DNS domains that publishes the availability of a remote KMS host -

1. On the DNS server, open DNS Manager. To open DNS Manager, click Start, click Administrative Tools, and then click DNS.
2. Click the DNS server on which you need to create the SRV resource record.
3. In the console tree, expand Forward Lookup Zones, right-click the domain, and then click Other New Records.
4. Scroll down the list, click Service Location (SRV), and then click Create Record.
5. Type the following information:
   1. Service: _VLMCS
   2. Protocol: _TCP
   3. Port number: 1688
   4. Host offering the service:<FQDN_of_KMS_Host>
6. When you are finished, click OK, and then click Done.

Using Key Management Services (KMS) for Vista Activation

I have been working recently on a large Vista deployment project for an Enterprise customer. An integral component of the project required the installation and configuration of Key Management Services (KMS) to activate all newly deployed Vista computers.

Typically, an Enterprise customer will choose KMS as the preferred method of activation as the number of Multiple Activation Keys (MAK) supplied as part of their Microsoft Enterprise Agreement will be substantially less than the total amount for which they are licensed – KMS is the only way to license the entire estate. Apart from this, KMS offers other additional benefits such as –

• KMS activates operating systems on the local network, eliminating the need for individual computers to connect to Microsoft
• KMS ensures you are within your allowed number of licenses
• Virtual machines don’t count towards the KMS n-count

However, bear in mind that KMS requires a minimum number of physical computers in a network environment, called the activation threshold, to activate KMS client machines. The activation threshold for Windows Vista is 25 physical computers and 5 physical computers for Windows Server 2008.

KMS is a lightweight service which does not require a dedicated server and which can easily be co-hosted with other services. The KMS ‘host’ can be on physical or virtual system running Windows Server 2008, Windows Vista, or Windows Server 2003 but a KMS host running on Windows Vista can only activate Windows Vista KMS clients. KMS services are built into Windows Server 2008 but are also available as a separate download for Windows 2003.

http://www.microsoft.com/downloads/details.aspx?FamilyId=81D1CB89-13BD-4250-B624-2F8C57A1AE7B&displaylang=en

Configuring KMS requires the installation of a KMS key on the host and subsequent activation with activating with Microsoft either by telephone or online. A KMS key can activate the Windows editions within its specific product group as well as editions in ‘lower’ product key groups (i.e., KMS keys have a hierarchical association with product key groups) – see illustration below. My customer’s EA licensed them for all products. For example, activating the KMS host with a Server Group B KMS key can activate Windows Server 2008 Standard, Enterprise and Web editions, and Windows Vista editions as KMS clients.

Initially, I installed and configured the KMS host with the Server Group B KMS key as my customer has no requirement to utilise Datacenter versions of Windows Server 2008 - activation of Server Group B, Server Group A and Vista VL was sufficient. However, although the KMS host was successfully activated using the Server Group B KMS key all subsequent attempts by Vista clients to activate with the KMS host failed with the following error -

Error code = 0xC004F014

This error is indicative of issues caused by a missing or incorrect pid.txt file which is included in the sources folder on the Vista installation media. Extensive testing confirmed that this was not the case and that all deployed clients had been imaged correctly using the correct pid.txt file.

In my case, resolution of the issue involved the following steps -

1. Uninstall the Server Group B KMS key and replace with the Server Group C KMS key = slmgr -ipk <product key> (this will replace the existing key).
2. Reactivate the KMS host = slmgr -ato (ensure that host has Internet access)

Once the KMS was reactivated with the Server Group C KMS key - effectively the highest level key available in the customer's Enterprise Agreement - Vista clients began to register with and activate against the KMS host. Problem solved.