Активация windows через active directory — Ваш верный помощник с OS Windows

Во многих крупных организациях для активации ОС Windows используется специальная служба управления ключами Key Management Server (KMS), установленная на выделенном хосте и активированныая специальным ключом Microsoft. В дальнейшем все компьютеры компании можно активировать не через сервера Microsoft, а напрямую через этот KMS сервер. Напомним, что при активации компьютера на сервере KMS, он сохраняет статус активации в течении 180 дней, по истечении которых клиент каждый раз должен проходить повторную активацию на следующие 180 дней.

В Windows Server 2012 появилась новая модель активации клиентов с ОС Windows 8, Windows Server 2012, а также пакетом Office 2013, предназначенная для замены KMS. Новая роль называется Active Directory Based Activation (ADBA). Данная технология позволяет активировать компьютеры (естественно, с Win8 и Win2012), которые просто включили в состав домена (как включить компьютер Windows в домен AD). В отличии от KMS-активации, активация с помощью ADBA завязана не на конкретный хост (kms-сервер), а целиком на службу AD, что предпочтительнее с точки зрения обеспечения отказоустойчивости службы активации, кроме того, отпадает необходимость открывать дополнительные порты на корпоративных файерволах (напомню для KMS-активации клиент должен по порту 1688 иметь доступ kms сервер), нужен лишь стандартный LDAP доступ к ближайшему контролеру домена (это должен быть обычный rw- контроллер домена, а не RODC контроллер). Хосты активируются службой ADBA на те же 180 дней, и если машина входит в состав домена, продление активации происходит автоматически путем взаимодействия с любым доступным контроллером домена. Естественно, при выводе машины, активированной с помощью Active Directory-based activation из домена, активация пропадает. Отметим, что ADBA позволяет активировать клиентов в пределах всего леса AD.

Для управления ADBA существует специальная консоль Volume Activation Management Toolkit 3.0 (VAMT). Подробнее что такое VAMT 3.0, где ее можно скачать и как использовать для управления лицензиями.

Установка и настройка Active Directory Based Activation

Для работы Active Directory-based Activation необходимо расширить схему AD до Windows Server 2012 (как обновить схему с помощью adprep.exe описано в статье Обновляем AD до Windows Server 2012). Отдельный контроллер с Windows Server 2012 поднимать не нужно.

Затем на сервере с ОС Windows Server 2012 необходимо установить роль Volume Activation Services. Сделать это можно с помощью стандартной консоли Server Manager, выбрав пункт Add Roles and Features ->Next->Next и отметьте роль Volume Activation Services.

установка службы активации в домене Volume Activation Services на Windows Server 2012

Службу Volume Activation Services также можно установить с помощью следующей команды PowerShell:

Install-WindowsFeature VolumeActivation –IncludeManagementTools

После установки роли, запустите консоль управления Volume Activation Tools (Server Manager->Tools->Volume Activation Tools). Если настройка происходит с десктопной версии Windows, необходимо установить RSAT для Windows 10, консоль Volume Activation Tools входит в этот пакет.

В окне Volume Activation Tools в качестве способа активации клиентов выберите Active Directory-Based Activation.

Установка в windows 2012 active directory based activation

Чтобы активировать продукты MS с помощью ADBA, необходимо в серверную роль Volume Activation Services добавить соответствующие ключи. Далее нужно ввести выданный вашей организации ключ KMS (для KMS и ADBA используется один и тот же ключ), его имя (позволяет в дальнейшем более удобно работать со множеством ключей).

Активация ключа KMS Host key - по Microsoft Volume Licensing

Следующий этап – включение поддержки ADAP-активации для всего леса и активация ключей volume license на серверах Microsoft (по телефону или онлайн). Активировать VLK ключи можно также и по старинке с помощью интерфейса командной строки и скрипта slmgr.vbs (подробнее процедура описана в статье Установка и активация KMS сервера).

После репликации всех новых объектов в AD, все клиенты с Windows 8 и Windows Server 2012, которые включены в домен и настроены на использование общих VLK ключей (наличие этих ключе говорит ОС о том, что активация будет происходить с помощью сервера KMS или по ADBA), получают информацию из AD и автоматически активируются. На клиентах дополнительно ничего настраивать не нужно. Полный список GVLK ключей можно найти здесь.

Следует понимать, что в домене нет выделенного сервера ADBA, или службы ADBA, запущенной на контролерах домена. Это пассивный процесс, при котором клиенты опрашивают Active Directory, обнаруживают нужные атрибуты и автоматически активируются.

Попробуем разобраться, где же в Active Directory хранится информация об активации ADBA?

При расширении схемы до Windows Server 2012 (об этом рассказывалось выше), в AD появляются новые объекты, которые клиенты могут использовать для поиска и активации продуктов в домене. Данные атрибуты хранятся в контейнере конфигурации леса CN=Activation Objects,CN=Microsoft SPP,CN=Services,CN=Configuration .

Расширение схемы в AD для поддержки активации Windows 8 и Win 2012 в домене

Напрямую объекты в этом разделе редактировать не рекомендуется, для этих целей использовать только утилиту Volume Activation Tool.

Текущий статус активации клиентов можно проверить с помощью команды:

slmgr.vbs –dlv

Строка Activation Object name: KMS AD Activation — говорит о том, что клиент активирован с помощью ADBA.

Activation Object name: KMS AD Activation в slmgr

Атрибуты скрипта slmgr.vbs расширены дополнительными параметрами, отвечающими за активацию через AD.

/ad-activation-online [ProductKey]
/ad-activation-apply-get-iid [ProductKey]
/ad-activation-apply-cid [ProductKey][ConfirmationID]
/ao-list
/del-ao

В том случае, если нужные атрибуты Active Directory отсутствуют, клиент пытается активироваться следующим доступным методом — KMS-активацией, пытаясь в DNS найти SRV запись KMS сервера (как обнаружить сервер kms в домене).

При исключении компьютера из домена, активация пропадет при следующем цикле проверки лицензионной информации (при перезагрузке компьютера или при перезапуске службы Software Protection Service).

Итак, сегодня мы разобрались с настройкой активации клиентов с Windows 8 и Windows Server 2012 с помощью ADBA (KMS сервер для них больше не нужен!). Возможность активации ADBA не исключает возможности наличий KMS сервера и возможность активации клиентов на нем, тем более, пока отсутствует поддержка активации ADBA для старых ОС (Windows 2008/R2/Vista/7).

Источник

There are many ways to activate Windows, and a really cool way to activate Windows is with Active Directory-Based Activation.

Active Directory-Based Activation (ADBA) was first introduced in Windows Server 2012 and is only usable if your Microsoft Volume licensing has a KMS host key. If you don’t have a KMS key, you may need to request one from Microsoft.

ADBA works very similarly to KMS (Key Management Services), except it doesn’t have the dependency of 25 activations before it becomes active and doesn’t need DNS or SRV records to work. The systems just need to talk to your domain, and because your domain is highly available, so is ADBA.

Systems that are activated with ADBA remain activated while communicating with the domain. However, if systems cannot communicate with the domain, they will remain activated for 180 days. If a system cannot communicate with the domain for more than 180 days, Windows will deactivate, but it will reactivate once it can communicate with the domain again.

In this post, I will show you step-by-step how to install, configure, and test Active Directory Based Activation.

Prerequisites

An account that is a member of Enterprise Admins and Domain Admins.
Active Directory schema version 56 (Windows Server 2012) or higher.

If you need to learn how to check your schema version, my blog post, Active Directory Schema, covers how.

Adding Volume Activation Services Role

GUI

Launch the Add Roles and Features Wizard and click Next.

For the installation type, select Role-base or feature-based installation and click Next.

Select the server you want to install the role to and click Next.

Select Volume Activation Services.

Click on Add Features to add the required features.

On the feature selection screen, click Next.

Read the notes about the Volume Activation Services and click Next.

Click Install to begin the installation.

PowerShell

Open PowerShell.

Run the command Install-WindowsFeature VolumeActivation -IncludeManagementTools

Configuring Volume Activation Services

Open Volume Activation Tools.

Click Next to continue past the Introduction to Volume Activation Services screen.

Select Active Directory-Based Activation for the Volume Activation Method and click Next.

Enter your KMS host key.

I will provide a display name for the activation object to assist with troubleshooting if needed.

Select how you want to activate the KMS host key and click Commit.

I will select Activate online.

Click Yes to confirm that you want to add an Active Directory-based activation object to the domain forest.

Click Close to exit the Volume Activation Tools.

Click Yes to confirm you are closing the wizard.

Remove Activation Objects

Open Volume Activation Tools.

Click Next to continue past the Introduction to Volume Activation Services screen.

Select Active Directory-Based Activation for the Volume Activation Method and click Next.

Select Skip to Configuration and click Next.

Select the object you want to delete and click Commit.

Click Yes to confirm that you are deleting the activation object.

Click Close to exit the Volume Activation Tools.

Click Yes to confirm you are closing the wizard.

Testing

After adding the KMS host key to the Volume Activation Tools, the systems joined to your domain should start activating.

To double-check that systems are activating against the Active Directory-Based Activation, run the command slmgr /dvi

The output should show you that it’s activated against the Activation Object you created.

Summary

That’s all it takes to install, configure, and test Activate Directory-Based Activation.

If you want to read more about Active Directory-Based Activation, here is Microsoft’s documentation.

Источник

Applies to

Windows 10
Windows 8.1
Windows 8
Windows Server 2012 R2
Windows Server 2012

Looking for retail activation?

Get Help Activating Microsoft Windows

Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients. Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. The process proceeds as follows:

Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller running Windows Server 2012 R2, and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 schema level, and add a KMS host key by using the VAMT.
Microsoft verifies the KMS host key, and an activation object is created.
Client computers are activated by receiving the activation object from a domain controller during startup.

Figure 10. The Active Directory-based activation flow

For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days. When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.

Step-by-step configuration: Active Directory-based activation

Note
You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:

Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
Launch Server Manager.
Add the Volume Activation Services role, as shown in Figure 11.

Картинка с сайта: docs.directechservices.com

Figure 11. Adding the Volume Activation Services role
Click the link to launch the Volume Activation Tools (Figure 12).

Картинка с сайта: docs.directechservices.com

Figure 12. Launching the Volume Activation Tools
Select the Active Directory-Based Activation option (Figure 13).

Картинка с сайта: docs.directechservices.com

Figure 13. Selecting Active Directory-Based Activation
Enter your KMS host key and (optionally) a display name (Figure 14).

Картинка с сайта: docs.directechservices.com

Figure 14. Entering your KMS host key
Activate your KMS host key by phone or online (Figure 15).

Картинка с сайта: docs.directechservices.com

Figure 15. Choosing how to activate your product
After activating the key, click Commit, and then click Close.

Verifying the configuration of Active Directory-based activation

To verify your Active Directory-based activation configuration, complete the following steps:

After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the slmgr.vbs /ipk command and specifying the GLVK as the new product key.
If the computer is not joined to your domain, join it to the domain.
Sign in to the computer.
Open Windows Explorer, right-click Computer, and then click Properties.
Scroll down to the Windows activation section, and verify that this client has been activated.

Note
If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The slmgr.vbs /dlv command also indicates whether KMS has been used.

Источник

Active Directory: This blogpost will show you how to activate your servers and clients – as simple as possible.

Goal

The goal is to have your servers and clients activated, as simple as possible, with no maintenance for the IT department.

Challenge

How do I activate my Windows licenses?
Do I use MAK or KMS keys?
What is the difference?

Those are some of the questions, I hear a lot.

Just to clarify – if you buy a computer with an OEM license, you are allowed to reimage the computer and use a MAK or KMS license key to activate it.

You can get the MAK keys by buying a license for the operating system you want to activate at your license-dealer. It becomes available on the Microsoft license portal, and you can download and use it when you reimage the computer. A MAK key often has a limit of how many times you can use it for activating; therefore, we recommend that you convert MAK to a KMS license key.

By contacting the Microsoft licenses team, you can convert your MAK license to a KMS license, with no additional charge.

With KMS licenses, you have two choices: You can set up a local KMS server to handle your licenses or add the license key to your Active Directory. The last one is the recommended solution.

With Active Directory-Based activation, your servers and clients activate automatically with the KMS license key from Active Directory when they join the Domain. The key automatically revokes when the servers or clients unjoin the active directory.

Prerequisites

The Domain scheme level must be a minimum of 2012.

Scope

You have support for Active Directory-Based activation on the following operating systems:

Windows 8
Windows 8.1
Windows 10
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019

How to add your KMS key to Active Directory

Add “Volume Activation Services” as a role on any server in your environment.

Open ”Volume Activation Tools” on the server where you installed the role.

Choose “Active Directory-Based Activation” and, if needed, alternate credentials.

Add your KMS license key and enter a display name.

Your KMS AD keys can be viewed or deleted from the “Configuration” view.

Useful Links

https://docs.microsoft.com/en-us/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client

https://4sysops.com/archives/active-directory-based-activation-way-better-than-kms/

https://download.microsoft.com/download/3/d/4/3d42bdc2-6725-4b29-b75a-a5b04179958b/reimaging.pdf

By Consultant Kim Brandtberg. Employed by CapaSystems since 2018. Kim is a super talented and competent consultant. He takes pride in helping clients reach the best possible solution.

Rikke Borup

Chief Marketing Officer

Источник

Microsoft requires that you activate newly installed Windows systems before you can use them. Product activation confirms that the installed copy of Windows has been properly licensed. Product activation is typically performed automatically over the Internet, although you can call Microsoft to manually activate a system if necessary. If you activate Windows over the Internet, the system contacts Microsoft online to verify its product key. If the Windows product key is valid, then the system is validated. However, if the product key isn’t valid, the Windows installation is branded as non-genuine and various notifications are displayed to remind the user to activate Windows.

The following steps compose the activation process:

During the Windows installation, two unique identifiers are created for the system:
- A unique product ID (PID) is created using the product key that you entered during the installation process.
- Based on the system hardware, a unique hardware ID (HWID) is created. Every hardware component in the system has a unique serial number assigned to it. During installation, Windows runs a mathematical formula against each device’s serial number to create a one-way hash for each component. Then four to ten bits are extracted from each device’s hash to generate an eight-bit HWID that uniquely identifies the system.
Windows contacts Microsoft through the Internet and sends a handshake request containing:
- Your system’s PID.
- Your system’s HWID.
- The version number of the activation software running on the system.
- A unique request ID number that is associated with the specific system.
Microsoft verifies that the license associated with the PID allows system activation.
If activation is allowed, Microsoft associates the PID with the system’s HWID. This prevents the same product key from being reused to activate Windows on a different system.
A confirmation is sent back to the system in the form of a digital certificate signed by Microsoft, indicating that the system has been successfully activated.

Several Windows activation mechanisms are available. The mechanism you choose depends upon the distribution channel used to purchase Windows:


Full-packaged (Retail)	Retail copies of Windows must be activated over the Internet or by calling Microsoft after the installation is complete.
Preinstalled (OEM)	Because they are preinstalled, OEM copies of Windows are usually activated by the system manufacturer.
Volume Licensed	Windows systems installed under a volume license agreement can take advantage of volume activation. Windows systems in a large network are commonly installed using a generic volume license key (GVLK). This allows you to use the same key to license multiple systems until you reach the number allowed by your license agreement. Volume activation automates the activation process, making it easier to deploy a large number of Windows systems. You can implement volume activation in two ways: Activation through Key Management Service (KMS) allows you to activate Windows systems using an internally hosted KMS service. KMS activations are valid for 180 days. To remain activated, each system must renew its activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. Activation through Microsoft Active Directory allows Windows systems connected to the domain to activate automatically during computer startup. Windows stay activated as long as it remains a member of the domain.

You can use the Windows Software Licensing Management utility (slmgr.vbs) to manage activation from the command line. Enterslmgr with the appropriate options at an administrator-level command prompt:

/ipk product_key installs a product key.
/ato activates Windows.
/dli displays summary license information.
/dlv displays detailed license information.
/xpr displays license expiration date.

Click here to visit check out the article from Microsoft if you are having problems activating Windows.

Activating Windows Server with Key Management Service (KMS)

KMS is a service that runs on a Windows Server and allows other Windows servers and clients to activate against it. The KMS host holds a pool of activation keys for the Windows Server, and when a client contacts the KMS host, it will activate the client with one of these keys.

Before you can activate Windows Server with KMS, you must first install the KMS host key on the server that will be running the KMS service. This key can be obtained from the Microsoft Volume Licensing Service Center (VLSC) or from the Microsoft Developer Network (MSDN).

Once the KMS host key is installed, you can configure the KMS service on the server. This can be done by running the «slmgr.vbs» script with the «/skms» option and specifying the DNS name or IP address of the KMS host. You can also specify the port that the KMS service will use (the default is 1688).

After the KMS service is configured, you can activate Windows Server on the client machines by running the «slmgr.vbs» script with the «/ato» option. This will contact the KMS host and activate the client with one of the keys in the host’s pool.

One important thing to note is that KMS requires a minimum number of activations before it will start activating clients. This minimum is 25 for Windows Server 2008 and Windows Server 2008 R2, and 5 for Windows Server 2012 and later. This means that you must have at least 25 or 5 Windows Server clients that will be activating against the KMS host before it will start activating them.

In conclusion, activating Windows Server with KMS is a simple and efficient way to manage the activation of Windows Server in your organization. By installing the KMS host key and configuring the KMS service on a Windows Server, you can easily activate other Windows Server and client machines. This can save your organization time and money, as well as ensure that all of your Windows Server systems are properly licensed.»

Click here to check out the article from Microsoft to implement the same.

Activate using Active Directory-based activation

Like KMS, Active Directory-based activation (ADBA) is used to activate Windows and Office in your corporate network.
ADBA is a more reliable and redundant solution, and it has significant advantages compared to KMS which makes it the best option for activating clients’ machines.
As you can guess by its name, ADBA relies on Active Directory Domain Services to store activation objects and transparently activate domain-joined computers.

Prerequisites

The Domain scheme level must be a minimum of 2012.

Scope

You have support for Active Directory-Based activation on the following operating systems:

Windows 8
Windows 8.1
Windows 10
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019

Click here to check out the article from Microsoft to implement the same.

I have followed multiple articles and videos to find the above information, feel free to correct me if I’m wrong somewhere. Kindly give your feedback and contact me over here.

Thank You!

Источник