Your are here: Home > Blog

Holiday Survival Kit for “Techies”

November 30th, 2009 | Posted by Sid Herron in General - (0 Comments)

Adrian Kingsly-Hughes wrote a great article on his zdnet blog entitled “Turkey Day” tech support survival kit. Even though Thanksgiving Day is behind us, those who are technically inclined will have ample opportunities through the rest of the Holiday Season to be buttonholed by family and friends who are…um…technically challenged.

This article describes how, with a little planning and preparation (and a few large-capacity USB flash drives), you can be ready to ride to the rescue of those whose plaintive cries for help can’t be ignored without negative social consequences.

Fenwick Sighted at Seattle Interface Show

November 24th, 2009 | Posted by Sid Herron in General - (0 Comments)

Fenwick J. Moose (our PR Manager) attended last week’s Seattle Interface show. In addition to hanging out at the Watchguard booth, Fenwick took a turn around the show floor, where, of course, he was mobbed by people clamoring to have their pictures taken with him. Here are just a few (click on picture to view full size):

Working the Watchguard booth

Working the Watchguard booth


With Peter and Kristin of Watchguard

With Peter and Kristin of Watchguard


Yuan-Chi Hsu and Julian Wilcoxon of Citrix

Yuan-Chi Hsu and Julian Wilcoxon of Citrix


With Chad Arnold and a colleague at the TW Telecom booth

With Chad Arnold and a colleague at the TW Telecom booth


Our friends at 3R Technology - the PC recycling folks

Our friends at 3R Technology - the PC recycling folks


Our buddies Dave Brown and John Ford from DataCore

Our buddies Dave Brown and John Ford from DataCore


In our opinion, the Face2Face folks do a great job putting together a 1-day show with a lot of good content. It’s probably the best-attended local technology trade show in Seattle these days. Plan ahead to check with http://f2fevents.com and sign up for next year’s show.

You can also view more Interface pictures on Fenwick’s Facebook page. (Yes, he has his own…and if you’re on Facebook, you too can be a Friend of Fenwick.)

How Difficult Are You Making It?

November 24th, 2009 | Posted by Shane Kalles in General - (1 Comments)

I have gone through an interesting business exchange recently. It left me confused and irritated – not to mention I have now wasted way too much time on getting no results. As marketing manager here at Moose Logic I am always trying to find ways to best leverage money vs. time when it comes to marketing activities. Things have been picking up a bit lately and at the time of this story I have 4 confirmed live events happening in the next 3 months. I am realizing that I no longer have time to properly advertise one of the aforementioned events, but I do have budget for it.

To my luck Moose Logic has recently been contacted by a company that is offering the exact services I need. Since I have never contracted out for these services I was in no position to just “sign up” without doing my due diligence. I looked around a bit on the internet to discover certain trends and tips when hiring for these types of marketing services. Feeling better prepared to handle the outsourcing of this task I now went looking for pricing. The marketing company that had contacted Moose Logic (let’s call them Company X) got the benefit of my first call because of their proactive efforts in contacting us.

I asked another co-worker to reach out to this company and find out what their pricing is. The initial contact was simple – they asked what services we were looking for, when we needed the services, etc., all of which we happily answered.  At the end of the conversation my co-worker asked for a quote for their services. A few hours later she received an email from what I assume is the supervisor of the person who answered the phone.

Form Letter from Marketing Company X

Form Letter from Marketing Company X

This is clearly a form letter that is updated with our information, but totally disregards the phone conversation we just had with them, and more importantly does not give us any pricing for the services just requested.

So we reached out to Company X again to say thanks for the information but we are really trying to getting a quote for services. Shortly afterward we got another email – with a PDF attachment. “Alright, a quote!” I think to myself as I open the attachment.

Boiler Plate PDF from Marketing Company X

Boiler Plate PDF from Marketing Company X

This is just page 1 of 3 of the PDF we received from Company X. Needless to say, there was no price attached anywhere – not in the email, not in the PDF.  Just more “boilerplate” saying what a great company they are, how awesome their services are, etc.

So, this got me thinking about how we do business here at Moose Logic. How many road blocks to business do we put up without even being aware of it? Do we try too hard to tell everyone why do business with us, rather than just doing business? If there are hurdles in our business, how do we find them and address them?

What about your business? Do you make it easy for your customers to do business with you, or are you losing business without even realizing it? Who do you ask to find out?

Well, I offer up Moose Logic and this blog post as a forum for anyone who wishes to tell us one way or the other on our business processes and our responsiveness to customer needs, or anyone who just wants to relate a similar story. We may all learn something new.

Disaster At the Interface Show

November 20th, 2009 | Posted by Sid Herron in General - (0 Comments)

Moose Logic had a great time yesterday in the Watchguard booth at the Seattle Interface Show. Several of you filled out forms requesting evaluations of Watchguard products, or information in other areas of interest. Unfortunately, all of those forms were taken in a vehicle break-in at the parking garage of the Convention Center – along with pretty much everything else that was in the car.

If we promised you information, and you’re wondering why you haven’t heard from us, please contact us so we can make sure you get the information you’re looking for, and please accept our apologies for the inconvenience!

Implementing the New Citrix XenDesktop 4 Licensing Model

November 20th, 2009 | Posted by Steve Parlee in Citrix | Licensing | VDI | XenDesktop - (0 Comments)

A couple of days ago, while reviewing some of the blog posts here, I happened to read Sid’s post regarding Citrix’s new per device or per user licensing model for XenDesktop 4. That led, in a somewhat convoluted way, to this post, which will focus on how you would implement this new model.

Even though I already knew some of the changes that were being incorporated into this licensing model, as soon as I read his post I immediately asked myself how, exactly, from a technical standpoint that was going to work? You see, at that exact point in time I was actively working on upgrading our XenDesktop (XD) and Provisioning Server (PVS) lab to XD4 and PVS5.1 sp1, so this topic really interested me – for the simple reason that what Citrix says is supposed to happen was not what I was seeing in my lab. At that point I was already running XenDesktop 4.0 in my lab, and I’d done nothing to put any per user or per devices licenses in place (I do however still have my previous XD Platinum Licenses from my XD 3.0 build on my 11.6.1 license server), but everything worked and I was not getting any license errors. Strange, you say? I agree!

So, like any curious tech, I started what turned out to be a long and exhaustive search for information regarding how the new license model should be implemented. But after a few hours, and a few emails between Sid and I, I had unfortunately turned up nothing, zilch, nada! In fact, the only thing I could find from Citrix – and this is pretty much common knowledge at this point because lots of people have already blogged on the topic – is the set of XenDesktop 4 documents located in the new Citrix eDocs Library. However, if you actually plow through the XenDesktop 4 documents, you will discover that there is no information on how, from a technical standpoint, this new license model is supposed to be implemented.

During my search I did run across one (yes, only one) blog post which had some insight regarding how it will actually work. That blog post was by Helge Klein of Sepago, a Citrix partner in Cologne, Germany. In that post, Helge states, “If what I have been told is true, the current version of XenDesktop 4 has no licensing enforcement built in.” (emphasis added) Now that statement really got me interested, because that was consistent with what I was actually seeing in my lab, but could it really be true?

Again, my curiosity required that I had to verify this information one way or the other. So today I picked up the phone, called the Citrix XenDesktop support team, and asked, “How does it work?” The initial answer (which I actually expected and would have bet money on) was, “I don’t know!”

To the credit of the Citrix technical support person I had on the phone, he did not just let this drop. Rather, he kept digging and reviewing information until he finally turned up an “internal only” document – which, of course, he could not share with me. However, based upon what he was reading in that document, his answer – specifically regarding the named user model – was that any user who is supposed to be assigned a license will need to be placed into the OU that was created during the install of the Desktop Delivery Controller (DDC). My reaction was, “What? You guys are going to require a business to move their users from their current OU(s), which may have group policies being applied, and place them into the XD OU? That’s crazy, because businesses, especially larger enterprises, are going to laugh at us!” Then I asked, “Can we at least nest the OUs to maintain GPO and AD structure?” to which the answer again was, “I don’t know.”

Once again, to the credit of the Citrix support person, I was asked to hold and give him a few minutes so that he could go talk to the escalation team and get a definitive answer. When he returned he confirmed what he had told me about how it was supposed to work…however, he also confirmed that today in XenDesktop 4.0 there is no license enforcement mechanism coded into the product. Basically, the license enforcement is based upon the honor system and what is written in the EULA.

That’s not necessarily bad – it’s worked reasonably well for Microsoft for many years. And our experience over the years has been that nearly all businesses want to be legally licensed, and will comply with license requirements as long as (1) they understand what constitutes compliance (which hasn’t always been easy), and (2) they don’t feel like they’re being ripped off. But it’s certainly a bit unexpected, to say the least.

So, finally, I had the answer directly from the Citrix XenDesktop support team regarding how it is implemented, which left only one more question: When will license enforcement be implemented? The answer: “I don’t know!” So, until Citrix decides to shed some light on this for us, we’ll just live with EULA-enforced licensing.

One last thought: With all due respect, wouldn’t you think that Citrix would want to tell their own internal support people the details about something like this BEFORE the product actually launches? Maybe they didn’t want the world to know about the lack of license enforcement – but things like that always come out…it’s just a matter of time. (Pssst! Hey, Citrix – it’s not a secret anymore!)

, , , ,

Let the Reader Beware

November 18th, 2009 | Posted by Sid Herron in Citrix | High Availability | Virtualization | VMware - (0 Comments)

The TechTarget family of blog sites has a lot of great information. That’s why we have several of their sites linked in our Blogroll (under “Virtualization” in the right sidebar). But one thing that I don’t like about their sites is that – unlike this blog – there is no way to directly comment on their posts. That makes it difficult to respond to posts like the one last week on VMware’s High Availability (VMHA).

In that post, author David Davis opens by stating:

VMware’s High Availability (VMHA) provides high availability to any guest operating system at a potentially much lower cost than other HA options (as you don’t have to pay per virtual machines [VMs] or per server; VMHA is included in the price of vSphere).

I have a couple of problems with this statement.

First, I don’t know what “a potentially much lower cost” means. Is it less expensive than other HA options, or isn’t it? If it is, which other HA options are you comparing it to? If you’re going to throw that line out there, shouldn’t you give us the data on which the statement is based?

Second, it appears that the “lower cost” claim is primarily based on the fact that VMHA is included in the price of vSphere, rather than requiring a separate license. That’s a little like claiming that the high-end German sound system is less expensive if you get it in a Mercedes – because it’s standard equipment – whereas if you want one in your Malibu you have to buy it separately. What matters is the total amount of money I have to spend to get all the functionality I need, isn’t it?

It is true that with, say, Citrix XenServer, you have to purchase a Citrix Essentials for XenServer license to get HA functionality. That will cost you, at the suggested retail price (which nobody actually pays), $2,500 per XenServer for the Enterprise Edition. But the copy of XenServer you’re putting it on is free. On the other hand, vSphere 4 lists for $2,875 per processor, so if I’m using dual-processor servers, I’m looking at $5,750 for vSphere 4 compared to $2,500 for that copy of Essentials for XenServer. If I’m using quad-processor servers, vSphere 4 is going to run $11,500, but I still only need that single license for Essentials. And don’t forget the cost of VirtualCenter to control my vSphere environment, whereas XenCenter is, again, free, and runs on a workstation rather than requiring a dedicated server.

The point of this post is not to argue the relative merits of vSphere vs. XenServer, nor of whose HA feature is better. In fact, if you follow this blog, you’ll know that we’ve raised some red flags regarding how to properly deploy XenServer HA without risking potentially “career-altering” disasters. The point is simply that the old adage “don’t believe everything you read” is particularly appropriate for stuff you read on the Internet. (But you already knew that, right?)

People who throw out unsubstantiated generalized statements need to be challenged. If the TechTarget site allowed comments, I would have challenged the statement there. Since they don’t, I’m challenging it here. If I’m missing something, David Davis (or anyone else, for that matter) is welcome to comment on this post and point out what it is.

, , , , ,

Installing Windows Live Messenger on Server 2008

November 18th, 2009 | Posted by Ryan Parlee in Citrix | Microsoft | Troubleshooting and How-Tos | XenApp - (1 Comments)

This post was inspired by my quest to install the newest version of Windows Live Messenger on our 32-bit, Windows Server 2008 servers running XenApp 5.0 here at Moose.  We were previously running Live Messenger 8.5 until it started prompting us that an update was available and would not let us use the program until it was updated.  This update is mandated by Microsoft to keep everyone’s messengers up-to-date to protect against security flaws.

According to the Windows Live Essentials System Requirements, you can install it on Server 2008…HA!  Good luck!  Standard attempts to install just don’t work – it goes through the process and at the end of the installation it rolls everything back. (Note: Click on an image to view full-size.)

Live Messenger System Requirements

Live Messenger System Requirements


I tried a couple of different approaches, including copying the bits from C:\program files\Windows Live\Messenger on a Vista SP2 box over to the Citrix XenApp Servers, but that didn’t work either (big surprise).

By default, the package you download from http://download.live.com to install Live Messenger is a small executable that asks you what other programs you want to install.  Once you’ve made your choices, it downloads the actual installation bits from the Internet.  There is a full download that contains all the installers, but you won’t find it on a Microsoft site (at least I couldn’t).  I ultimately found it on this third-party Web site. You can do the installation with either package, but I did it with the full 140 Mb package, so I know it works that way.

I have not found any way to extract the contents of the full package executable into separate .msi files for each product.  You can browse to c:\program files\common files\windows live\.cache\ and search for the particular piece you’re looking for (Messenger.msi in my case), but it is a silent install, and things still didn’t work after trying to install it on Server 2008.

The solution I found was to actually hack the installer to allow it to install on a server OS.

I found an article via a Google search that is actually for installing Windows Live Wave 3 Beta on unsupported x86 and x64 versions of Server 2003 and 2008, and discovered that the method worked perfectly for Live Messenger as well.

To install Live messenger you will need to download:

  1. The full install of Windows Live Essentials;
  2. “Resource Hacker” from the link in the article above. I chose the UK mirror.

Customization and Installation steps:

  1. Extract the ResHack.zip file to your hard drive (anywhere works, I used the Desktop).
  2. Launch ResHack.exe from the extracted files.
  3. Open the Windows Live Installer executable (WLSetup-All.exe or WLSetup-Web.exe).
    4. Open the Windows Live installer file

    Open the Windows Live installer file

  4. Locate CONFIG -> CONFIG0 -> 0.
    5. Using ResHack

    Using ResHack

  5. Select-All and copy the XML code into a text editor such as Notepad (choose Word Wrap from the Format menu in Notepad to make it easier to edit)
  6. Find ‘os productType=”workstation”’  and replace ‘workstation’ with ‘server’
    7. Select Text to Replace

    Select Text to Replace

  7. Copy/paste the XML code back into ResHack, replacing the old code
  8. Click ‘Compile Script’
    9. Compile Script

    Compile Script

  9. Select File -> Save and save the modified executable (Make sure to put .exe on the end of the filename and name it something unique).  It’s 140Mb – be patient as it compiles the executable.
  10. Run the modified executable.

The Windows Live applications should now be installed on Server 2008!

Happy Messaging!

, ,

Customizing XenServer’s HA Pool Timeout Settings

November 12th, 2009 | Posted by Steve Parlee in Citrix | High Availability | Troubleshooting and How-Tos | Virtualization | XenServer - (0 Comments)

Recently I wrote a post about the hazards of XenServer HA and how to avoid a couple of different pitfalls which lead to XenServer fencing. In that post I talked about the necessity of correctly setting the HA heartbeat timeout for your environment so that your XenServers will allow enough time for a storage failover to occur. The idea, of course, is to prevent your XenServer from going into a “fence” condition which can occur for many reasons. The reason we’re discussing here is triggered when the XenServer believes its storage has suddenly become unavailable and it is not able to recover its state quickly enough to prevent the HA timeout from fencing the server.

I frequently build environments that use a pair of replicated DataCore SANmelody nodes (two physical nodes) and configure my XenServer in a multipath configuration. With this configuration my XenServers see two active paths to their storage (the status of the multipath is shown in the image below) – one path to each of the two nodes. If, for example, one of the SANmelody nodes goes off line, the other node will immediately take over. However, the XenServers have to be given enough time to fully recognize a failover has occurred, and the storage is still available, in order to avoid a fence. The default HA timeout in XenServer is 30 seconds which means if it takes a XenServer more than 30 seconds to realize the storage is still healthy and available then the server will fence. If the storage was indeed still available, then more than likely there were still VM guests up and running on the XenServer, which have now been taken offline unnecessarily.

To test and tune this setting I first make sure HA is enabled on the pool, then I perform hard failover tests where, using a DRAC or iLO card if I have one, I suddenly power cycle one of the storage servers and watch to see if any XenServers fence. I run this hard power cycle test because this specific problem never comes up with simple storage stops and restarts; rather it only shows up when a storage server actually goes down suddenly, or “hard,” as we say. So I run these tests because I want to stress the system to simulate unfortunate things like power failures, sudden server reboots due to gremlins, and other things along those lines. If nothing happens then great – let’s go home and we can sleep well knowing HA is working correctly. But what if you do have one or more servers which do fence because they believe their storage is gone when in fact it is not?

The last time I had this happen to me I had to test my environment several times, and with each successive run through the hard failover test I used a different timeout setting. In the end I found that 120 seconds worked best for me. (Keep in mind I am doing this during a build and there are no live production workloads running on any of these servers.)

So what is the downside of setting your timeout this high? Well, if a XenServer really fails (for whatever reason) it will take about 120 seconds for the Pool to decide there is a problem and then take action to restart the VMs elsewhere based upon available resources and the restart priority of each VM. Personally, I’d rather wait the 120 seconds when something has really gone wrong than suffer an unnecessary fence/shutdown when all the VMs were actually still running fine.

So how did I set the timeout values? Like this:

Rather than enable HA from the GUI you’re going to have to do it from a command line. I use PuTTY when I’m not actually at the XenServer console. The command you will use is xe pool-ha-enable heartbeat-sr-uuids=your uuid goes here ha-config:timeout=however many seconds you want.

But in that command string, how do you know what the sr-uuid is? The way I find it is to start with XenCenter and locate the SR (storage repository) which is going to be used for the heartbeat status disk. I locate the SCSI ID of that SR and copy the number as shown in this image (click picture to view full-size):

Finding the SCSI ID of a Storage Repository

Finding the SCSI ID of a Storage Repository


After I have that number I next connect to the master XenServer using PuTTY (the master XenServer in a pool is always the top server shown in XenCenter) and run this command xe pbd-list device-config=SCSIid:\ 360030d903131325f48415f4865617274 where the number in RED is the ID just copied from Xencenter:
Finding the sr-uuid

Finding the sr-uuid


What is shown above is what the output should look like. The reason you see three sequences in this example is because there are three hosts in this pool, notice the host-uuids are all different. However also notice the sr-uuid value is the same in each grouping and this is the number we are after. Take the sr-uuid you just found and enter it into a command like this: xe pool-ha-enable heartbeat-sr-uuids=7a213624-1209-c467-42ed-6ef72a1b7699 ha-config:timeout=120

It may take a bit of time for the command to actually complete but once it does you should be able to refresh your Xencenter by using either the xe-toolstack-restart or the service xapi restart command and then when you look at the pool level on the HA tab you should see that HA is now turned on:

Verify that HA is now turned on

Verify that HA is now turned on


As I said previously I found 120 seconds worked best for me – but how did I determine that? Simple: I started by setting the HA timeout to 60 seconds (twice the default) and then ran the hard shutdown test again. One of the XenServers still fenced so I went to 90 seconds, and then finally 120 seconds. The point at which the XenServers do not fence is where you want to stop. But don’t just do this test on one side of the storage! You will want to recover your storage servers and once everything is back online and healthy run the same test again – but this time hard-shutdown the other storage node. Now if none of the XenServers fence then you are done…unless you disable and re-enable HA. As I pointed out in that earlier post, this manual timeout setting is not persistent – if you disable and re-enable HA on the pool, you will have to re-enable it from the command line again to insure that the timeout is set correctly. If it’s done from the GUI, it will revert to the 30-second default.

, , , , ,

Citrix Fine-Tunes XenDesktop 4 Licensing

November 9th, 2009 | Posted by Sid Herron in Citrix | Licensing | VDI | XenDesktop - (0 Comments)

In our post of October 6, hard on the heels of the Citrix news release that announced XenDesktop 4, (hereinafter called “XD4” to save wear and tear on my keyboard) we told you that XD4 was moving toward a strict per-user licensing model, rather than the concurrent-use model that Citrix products have been using since forever. Since that initial news release, however, Citrix has backed down on that position, and made some changes in how XD4 can be licensed.

XD4 Enterprise and Platinum Editions can now be licensed in either per-user or per-device mode. The per-device mode has obvious benefits in, say, classroom situations where a single device will be shared by multiple users, a clinical workstation in a hospital that is used by multiple users, or a factory floor where different shifts come and go. This aligns very closely with the Microsoft RDS CAL licensing model. (RDS, or Remote Desktop Services, is the new name for Terminal Services.) If a given use case would be more economically licensed using per-device RDS CALs, then per-device licensing for XD4 will probably make more sense as well.

A user who has been assigned a user license is entitled to use an unlimited number of devices to access an unlimited number of desktops. A device that has been assigned a device license can be used by an unlimited number of users. Just as is the case with Microsoft RDS CALs, user licenses can be reassigned permanently if a licensed user leaves the organization, or temporarily if a licensed user is absent for a protracted period of time. Likewise, a device license can be reassigned if a device must be replaced, or reassigned temporarily while a device is being repaired.

Customers can have both user and device licensing in the same enterprise, and licenses may be switched from user to device and vice-versa after 90 days. Once you reassign a license, you must wait at least another 90 days before you can switch back.

Just in case that’s not confusing enough, the low-end XD4 “VDI Edition” – which supports only VDI deployments and does not include any of the XenApp or “FlexCast” functionality – can be licensed in either per-user or per-device or concurrent mode. Concurrent licenses for the VDI Edition can be upgraded to either user or device licenses for XD4 Enterprise or Platinum Edition. However, within the VDI Edition, you cannot convert VDI concurrent licenses to VDI user or device licenses, nor can you convert VDI user or device licenses to VDI concurrent licenses.

License Management
Device licenses are assigned by manually adding a unique device identity to a device log. This device log must be manually maintained as devices come and go. User licenses leverage Active Directory – you create and maintain a specific OU for your licensed users.

One wrinkle that you may not be aware of is the concept of “overdraft” licenses. Citrix will actually grant one overdraft license for every 10 licenses that you allocate to a license file. These overdraft licenses are automatically rolled into the license file when it’s generated, and are displayed in a separate column of the License Management Console. The allocation of an overdraft license is recorded in the XenDesktop event log, but you won’t know unless you go looking for it – there is currently no alerting system that would proactively tell you that it’s happened. I would expect that, at some point, Citrix will build in some kind of overdraft alert.

Bear in mind that the overdraft licenses are not intended to let you, on an ongoing basis, exceed the license count you purchased. They’re intended to prevent the situation where a user is denied service because of a temporary spike in usage, or because a license hasn’t been properly allocated or re-allocated, and give you time to purchase additional licenses before the lack of available licenses becomes a crisis. Bottom line here is that if you think you’re getting close to your maximum license count, you should probably check the License Management Console from time to time to see how many licenses are actually in use, and whether you’re into your overdraft pool.

, , , , ,

Provisioning Services, Microsoft Licenses, and KMS

November 5th, 2009 | Posted by Sid Herron in Citrix | Licensing | Microsoft | Provisioning Services | VDI | XenApp | XenDesktop - (9 Comments)

Citrix Provisioning Services, which evolved from their acquisition of the Ardence technology, enables some great concepts:

  • Since the first time a Citrix customer deployed more than one WinFrame server, we’ve struggled with the issue of change control – how do we insure that, over time, all of the servers that are supposed to be identical do, in fact, remain identical? Booting and running them all from a single, read-only image is a great way to do that.
  • It gives you an “undo” option when you upgrade your server image. You can make a copy of your read-only image, set it to read/write, apply your patches, updates, etc., reboot one server from the new image, do your testing, then set the new image to read-only, reboot your servers, and ba-da-boom ba-da-bing (that’s a technical term), in the time it takes them to reboot, they’re all running from the new image. If you then discover that there’s something wrong with the new image, point them back at the old image and reboot them again, and, in the time it takes them to reboot again, you’ve just rolled back to the old image.
  • In a VDI scenario, not only do you enjoy the first two advantages, you also save a ton of expensive SAN storage. If your typical desktop image is, say, 10 Gb, and you want to deploy 100 virtual desktops, with some vendors’ approaches you will consume a full terabyte of expensive SAN storage. By using provisioning services, you consume only the 10 Gb required by the common image.

Unfortunately, when you convert a modern Microsoft OS image to a shared read-only image, it looks like a hardware change to the OS, and breaks the license activation. This is the case with Windows 2008, 2008 R2, Vista, and Windows 7.

Enter the KMS server. KMS stands for “Key Management Service,” and it’s one way to automate the activation of Microsoft volume licenses within an organization. There’s a pretty good video that you can download from Microsoft Technet that walks through the process of configuring a KMS server to automatically activate servers and workstations, but it was made prior to the release of 2008 R2, so it omits a very important point (which we will get to in due time).

The concept is that as an un-activated copy of Server 2008, Vista, or Win7 boots, it queries Active Directory to see if there is a KMS server on the network. If there is, it contacts the KMS server for activation. However, for reasons that are not at all clear to me, the KMS server must be contacted by a minimum number of machines before it will actually activate anything. So, each time a different machine contacts the KMS server for activation, it is assigned a unique ID number, and the KMS server increments its counter by one. When it has been contacted by a total of five different systems, it will begin to activate servers. When it has been contacted by a total of 25 different systems, it will begin to activate workstations.

Before the release of Server 2008 R2, only physical systems would increment the counter – virtual systems would not. (Don’t ask me how the KMS server could tell the difference – that’s one of the ongoing mysteries of KMS.) And that’s the message you’ll hear when you watch the video referenced earlier. However, if KMS is running on a Windows 2008 R2 server, both physical and virtual systems will increment the counter. Note also that what matters is the aggregate number of all systems that have contacted the server for activation, regardless of whether they’re running Server 2008, 2008 R2, Vista, or Win7.

If the threshold has not yet been reached, the system will not be activated, but will still run…within the constraints of the built-in 30-day “grace period” for activation. (Although the nag messages get pretty intrusive in the last three days of the grace period.) This, by the way, is good news if you’re looking at an evaluation or proof of concept that will involve fewer systems than it takes to meet the threshold – you should be OK as long as the evaluation term doesn’t exceed the 30-day grace period. The system will continue to check back in with the KMS server ever two hours to see if the threshold has been met. When it is met, all of the systems that have been waiting will be activated. Once activated, a system will attempt to check back in and renew its activation every 7 days. It must renew its activation within 180 days, or it will revert back to an un-activated state.

The KMS server keeps track of the ID numbers of the systems that have contacted it for activation. If an activated system does not check back in within 30 days, its ID number is removed from the KMS server’s cache, and the counter is decremented. If the count falls back below the threshold, the KMS server will stop activating systems. To help guard against this, the KMS server’s cache size is set to 2x the threshold. In other words, if you’re only activating servers, the cache will contain the IDs of the last 10 servers that have contacted it for activation. If you’re activating workstations, or a combination of workstations and servers, the cache will contain the IDs of the last 50 systems that have contacted it for activation.

The KMS service can be co-hosted with other services in your server infrastructure – you do not have to dedicate a server to this function. In fact, if all you care about are workstations, you can host the KMS service on a Win7 workstation. You’re going to want to have more than one KMS host running, to insure that it doesn’t become a single point of failure in your infrastructure. And remember, unless you’re going to be activating enough physical systems to meet the KMS threshold, you need to be running KMS on Server 2008 R2. That will give you the ability to activate “any Windows operating system that supports Volume Activation,” (which today means the four operating systems we’ve been discussing here), and count both physical and virtual systems toward the required threshold.

So…wrapping back around to the beginning of this discussion, if you want to use Provisioning Services to provision XenApp servers on Server 2008 (and remember, XenApp does not yet work on 2008 R2 as of this writing), you’re going to need a couple of KMS servers. And unless you have five or more physical 2008 servers that it can activate, you’re going to need to have your KMS servers running on R2. And even then, you’re going to need a total of at least five machines to meet the threshold before KMS will activate anything.

Likewise, if you want to use Provisioning Services to provision Win7 desktops – and I’m ignoring Vista here, because, even though I personally liked Vista, I think Win7 is sufficiently superior that it just doesn’t make sense at this point not to go to Win7 – you’re also going to need a couple of KMS servers. And unless you have 25 or more physical systems (in aggregate, counting both servers and workstations), they’re going to need to be running on R2. And in any event, you’re going to need a total of at least 25 systems.

For more information on exactly how KMS works, I strongly recommend the Technet Volume Activation Planning Guide for Windows 7 and Windows Server 2008 R2. Happy provisioning!

, , , , , , ,