Windows Vista introduces new challenges for network administrators when it comes to activating the OS. You either use limited-use Multiple Activation Keys or implement a key management server. Key management servers sound like a good idea, but they present special problems and require quite a bit of oversight. If a key management server fails and you don't notice it for a long time, Vista workstations registered by that server could suddenly become unusable.
Although a key management server failure won't be immediately catastrophic, it is still better to prevent a failure from occurring in the first place rather than cleaning up the mess after the server has failed. Fortunately, Microsoft makes a MOM management pack specifically designed to monitor Vista key management servers.
Why key management servers present problems
Obviously, you never want any of the servers in your organization to fail, but the failure of a key management server probably doesn’t sound like that big of a deal. If the key management server simply assigned a product key to new workstations, then a failure probably wouldn’t be a huge deal, since product keys could still be assigned manually. However, Vista key management servers work in a rather unusual manner.
When Vista is installed onto a new PC in an organization that uses volume licensing, the installation does not initially use a product key. Once the PC has been operational for two hours, it contacts the key management server for activation.
Here’s where things get odd. As I’m sure you know, in Windows XP, activating Windows was a permanent operation. Once Windows was activated, there was no risk of it becoming deactivated, unless the hardware changed significantly or the product key was pirated. When a key management server activates a Vista client, however, the activation is temporary.
When a key management server activates a Vista workstation, the activation is only valid for six months. To ensure that the activation never expires, each workstation contacts the key management server on a weekly basis to renew its activation.
To be perfectly frank, if a key management server were to fail, it’s not the end of the world. You can’t enter volume license keys manually into Vista in the way you could in Windows XP. Even so, a failure won’t cause any immediate problems, because Vista gives you a 30-day grace period before reducing non-activated workstations to reduced-functionality mode. If a PC that has been activated is unable to contact a key management server, it isn’t a problem immediately because it will be seven months before the PC is placed into reduced-functionality mode (the six-month activation period, plus a 30-day grace period).
Acquiring the Management Pack
The Microsoft Windows Key Management Service Management Pack for Microsoft Operations Manager 2005 is freely available for download from Microsoft’s Web site. The download consists of a half-megabyte Windows installer package (a MSI file).
There aren’t really any special licensing considerations for the management pack. The license is set up so any machine with a valid Microsoft Operations Manager 2005 license is allowed to run the management pack.
Installing the Management Pack
Normally, when you double click on a MSI file, Windows will launch a Setup wizard that will prompt you to accept the application's licensing agreement and guide you through the rest of the installation process. The MSI file associated with this management pack works a little bit differently, though. When you double-click on the file you have downloaded, Windows will launch a Setup wizard. As you would probably expect, the Setup wizard asks you to accept the software’s license agreement and asks you for an installation path. From that point, the setup wizard will copy the necessary files to the location you have specified, but the management pack will not actually be installed.
Instead, you will have to import the management pack into MOM. To do so, open the MOM 2005 Administrator console and click the Import Management Packs link found on the console’s mail screen, as shown in Figure A.
|Click the Import Management Packs link.|
At this point, Windows will launch the Management Pack Import/Export Wizard. Press Next to bypass the wizard’s Welcome screen; you will see a screen asking you whether you want to perform an import or an export. Choose the option to import management packs, and press Next. You will now see a screen prompting you for the location of the management pack that you want to import. By default, the installer you ran earlier installed the Key Management Server installation pack into the C:\Program Files\MOM 2005\KMSReporting\KMSMomPack\MOM Pack folder. Use the Browse button to select this folder, and press Next.
You should now see a screen similar to the one shown in Figure B. As you can see, this screen asks you which management packs you want to import. Select the KeyManagementServerMP.akm option. As a precaution, select the Update Existing Management Pack option and make sure that the Backup Existing Management Pack check box is selected.
|Import the KeyManagementServerMP.akm file.|
Press Next, followed by Finish, to complete the import process.
Completing the configuration process
Although you have imported the management pack, there are still a couple of things you need to do before you can use MOM to keep an eye on your key management server. The first of these tasks involves deploying an agent to your key management servers. This agent allows the MOM server to communicate with the server being monitored.
To deploy the MOM agents, go back to the screen shown in Figure A, and select the Install Agents link. When you do, Windows will launch the Install/Uninstall Agents wizard. When the wizard starts, press Next to bypass the wizard's Welcome screen. You will then see a screen asking if you want to browse for computer names or enter search criteria. Choose the option to browse the network for computer names, and press Next. You should now see a screen that gives you the opportunity to enter the names of the computers you are going to be monitoring. Assuming you know the names of your key management servers, type in the NetBIOS name or the fully qualified domain name of those computers. If you need some help, you can always press Browse and select the key management servers from the browse list.
Press Next and you will be prompted to specify the account you will use to manage the agents. You can use either the Management Server Action Account, or you can specify a domain account. In most cases, you will probably want to use the Management Server Action Account, but there is nothing wrong with using a domain account if that better meets your needs.
Press Next and you will be prompted to specify the Agent Action Account. In most cases, you should accept the default option of using the Local System Account, but you can provide a domain account if necessary.
Press Next and you will be asked to provide the path in which the agent should be installed on the key management server. Just go with the default path, and press Next. You will now see a summary screen displaying the options that you have specified. Assuming all of your choices look good, press Finish to deploy the agent.
Technically, you have now done everything necessary to start monitoring the key management server. Your goal is to use MOM to monitor your key management server for failures and for conditions that could potentially lead to a failure. With this goal in mind, take into account that a key management server is not an independent entity. The key management server is dependent upon the Active Directory and the DNS services. There are several additional management packs that I recommend importing into your MOM server.
The techniques for importing these management packs are beyond the scope of this article, but if you want MOM to monitor the Active Directory, you will need to deploy the MOM agent to your domain controllers and then use the Operating System and Active Directory management packs to monitor those servers. Likewise, if you want to monitor your DNS servers, you will want to deploy an agent to your DNS server and then use the Operating System, Active Directory, and DNS management packs to monitor the DNS server.
Monitoring Key Management Servers
Now that I have shown you how to deploy and configure the key management server management pack, I want to turn my attention to the actual monitoring process. For those of you who have never used MOM before, MOM works by collecting event log information from the system being monitored and then using that information to determine the system's overall health.
One of MOM’s goals is to keep the management process as simple as possible. In order to do so, the key management server’s status is color coded as green, yellow, or red. As you would probably expect, a status color of green indicates that the key management server is running normally.
Two different conditions can cause MOM to report the key management server status of yellow: if the KMS count is low or if the server is missing activation requests. In case you're wondering, MOM considers the KMS count to be low if the KMS threshold defined by the MOM server is not sufficient to sustain workstation activations.
If MOM detects that the key management server is missing activation requests, it will alert administrators to a possible key management server or network failure. MOM watches for this condition by looking for Event ID 12290. This is the event ID that is logged when activation or renewal requests are received by the key management server. If no 12290 events occur in an eight-hour period, then MOM assumes that the server is missing activation requests.
As you have probably already guessed, MOM sets the key management server’s status to red if it detects that a failure has occurred. There are two types of failures that can cause the server’s status to be set to red: a DNS publishing failure or a key management server timer initialization failure.
A DNS publishing failure means that the key management server was unable to create or modify an SRV record on the DNS server. The key management server assumes by default that the organization is running an Active Directory integrated DNS server configured to accept dynamic updates. If this is not the case, then you must open a Command Prompt window on the key management server (using elevated privileges) and enter the following command: SLMGR –CDNS. This will prevent the key management server from publishing records to the DNS server.
A timer initialization failure occurs when a volume licensed client attempts to renew activation, but is unable to initialize the key management server’s renewal timer. This condition is almost always caused by either key management service failure or OS corruption.
So far, I have talked primarily about MOM’s diagnostic capabilities. However, MOM can also compile a variety of reports regarding the Key Management Server’s performance. Below is a list of the various that MOM can produce and what these reports include:
- Activation Count Summary: Shows the number of activations for each edition of Windows.
- KMS Activation History: Displays both activations and renewal requests on a daily basis.
- Licensing Status Summary: Shows the amount of time remaining before licenses expire on volume licensing clients that have connected to the key management server.
- Machine Expiration Chart: Displays the machines currently functioning in Grace mode (as opposed to being activated) that are at risk of reverting to Reduced-functionality mode in the next 30 days.
- Machine Expiration Detail: Displays the machines currently functioning in Grace mode (as opposed to being activated) that are at risk of reverting to Reduced-functionality mode in the next seven days.
- Virtual Machine Summary:Shows the number of physical and virtual machines activated in the last 14 days.
MOM to the rescue
As you can see, MOM can greatly assist with the task of managing and monitoring your key management servers. In this article, I have explained how to deploy the KMS management packs for MOM and discussed the types of information the management pack provides.