Friday, July 29, 2011

Managing Group Policy for Windows 7

When implementing Windows 7 in your environment it's time to think about managing them too. For that new Group Policy templates are available which can be download at the following location:
Administrative Templates (ADMX) for Windows Server 2008 R2 and Windows 7
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6243 

New in Windows 7 is that Administrative templates are in ADMX format. In earlier releases they were in ADM format only. Then it was possible to import them with Add/Remove templates. Because Administrative templates are in ADMX format now only, this is not functional anymore. In this blog I will explain how to use them.

Just download the MSI file from the above link and install it. The default location for install will be "C:\Program Files\Microsoft Group Policy\win72008r2\" which is just fine. After that many files are located in the PolicyDefinitions folder, which are 55 language folders with ADML files (language-specific) and 160 ADMX files (language-neutral). Because  they cannot be imported by Add//Remove templates additional steps are needed now.


To ensure that the new ADMX and ADML files are propagated throughout the domain, on the computer on which you downloaded the new ADMX and ADML files, copy the new PolicyDefinitions directory to the appropriate location under SYSVOL on the appropriate domain controller. Doing so will ensure that all language-specific subdirectories are also copied to SYSVOL.

This can also be found in the following TechNet post:
How to create a Central Store for Group Policy Administrative Templates in Window Vista/7

http://support.microsoft.com/kb/929841

It mentions: To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies
Copy all files from the PolicyDefinitions folder on a Windows Vista/7-based client computer to the PolicyDefinitions folder on the domain controller.
Important: Updates to SYSVOL are replicated to all domain controllers in the domain, which results in increased network traffic and load placed on the domain controllers. Therefore, to minimize the impact of this operation in your domain, schedule the copying of updated ADMX and ADML files to SYSVOL outside core business hours.


After that it's possible that the following error message is displayed:
Administative Templates
Encountered an error while parsing.
Expected one of the following possible elements(s), <test>, <decimalTestBox>, <testBox>, <checkBox>, <comboBox>, <dropdownList>, <listBox>, but found <multiTextBox> instead.
File
\\mydomain\SysVol\mydomain...\terminalserver-Server.adml,
line 198, column 60

Alternatively, if the error is showing parsing issues with a particular ADMX/ADML file, you can simply remove that from the PolicyDefinitions folder. For example, the terminalserver-Server-ADML file is specific to Server 2008-R2 and you probably don't need it for now.

After these steps it's possible to manage Windows 7 with Group Policies. Because there are 160 different ADMX files, each file is used for a specific part of Windows. Just have a look at it for all possibilities.

Wednesday, July 27, 2011

Key Management Services (KMS) explained

When installing Windows Server 2008 (R2) or Windows Vista / 7 in your network you must think about volume activation. With volume activation there are two (2) different models for completing this. These are Key Management Service (KMS) and Multiple Activation Key (MAK). Both are working and has there own benefits.
  • Key Management Service (KMS) – KMS activates operating systems on the local network, so individual computers doesn't has to connect to Microsoft. KMS clients connects with a KMS host for activation.
  • Multiple Activation Key (MAK) - MAK requires computers to connect one time to a Microsoft activation server. Once computers are activated, no further communication with Microsoft is required.
Have a look at this page for more information about Volume License Keys:
http://www.microsoft.com/licensing/existing-customers/product-activation-faq.aspx

Because KMS becomes more and more implemented in projects I will explain it in detail. I will no further explain MAK in this blogpost, because it's known by most people.

KMS requires a minimum number of either physical or virtual computers in a network environment to become functional. These minimums, called activation thresholds, are set so that they are easily met by enterprise customers. For computers running:
  • Windows Server 2008 and Windows Server 2008 R2 you must have at least five (5) computers to activate.
  • Windows Vista or Windows 7 you must have at least twenty-five (25) computers to activate. These thresholds can be a mix of server and client machines to make up the threshold number.
  • Office 2010, Project 2010 and Visio 2010 you must have at least five (5) computers to activate. If you have deployed Microsoft Office 2010 products, including Project 2010 and Visio 2010, you must have at least five (5) computers running Office 2010, Project 2010 or Visio 2010.

The KMS service can be installed on a (existing) server or client!, and will place an record in DNS for recognition. The following commands are available to use in combination with a KMS host: 

When using Windows Server 2008 (R1) or Windows Vista systems an hotfix is needed. This will extend support for KMS to provide activation for Windows 7 and Windows Server 2008 R2. The KMS host will be upgraded from version 1.1 to 1.2 with this hotfix.

The command for installing KMS with a product key or updating an existing one is "cscript %windir%\system32\slmgr.vbs /ipk {product key}". After that restarting of the KMS service is needed. This can be done with the following commands: "net stop slsvc" and "net start slsvc". When it's functional it can be tested with the "slmgr.vbs /dli" (basic information) and "slmgr.vbs /dlv" (detailed information) commands.

Have a look at this TechNet post for more information about this: http://social.technet.microsoft.com/Forums/en/winservergen/thread/8edd0ece-7786-42d4-9a23-48e2c271b17d

It's possible to query the DNS server for License keys also. This can be done with the Nslookup –type=all _vlmcs._tcp command. With the "slmgr.vbs /ato" command it's also possible to force a activation renewal. That way it's easier to get the minum required systems activated. When no DNS record is created automatically, you must create one yourself. This can be done with the following guide: Manually Create SRV Records in DNS

During installation it's possible that the following error message is displayed:
Error: 0xC004F015. This can be solved with installing the KMS 1.2 patch or use the correct product key. Have a look at this TechNet post for more information about this: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/0ce4f1aa-94db-46e0-8d2c-1fb37961a873

On the client (when KMS is active already) it's possible that the following error is displayed: 0xC004F038. This can be solved with activating enough computers. When this is done (at least 5 servers and/or 25 computers) the error message will be gone. Then activation for all systems will be available!

One last note: When creating or deploying a Windows 7 image don't use a build-in product key. Otherwise there's the risk that every Windows 7 client behaves like a KMS host. No product key at all is needed on the Windows 7 client. Just activate them by the KMS host which resides on the Windows Server 2008 (R2) server or on a Windows Vista / 7 host.

Have a look at this TechNet post for more information about this:
http://social.technet.microsoft.com/Forums/en/mdt/thread/c9691329-702e-42e1-9593-c8c06618ff0f

For default KMS Client Setup Keys have a look at this TechNet post:
http://technet.microsoft.com/en-us/library/ff793421.aspx

Update 18-11-2011: On Windows Server 2008 R2 and/or Windows 7 the commands to restart the KMS service are now: "net stop sppsvc" and "net start sppsvc".

Just to clarify things:

The Software Licensing Service existed in Windows Vista, but was replaced in Windows 7. The service that handles the licensing is now called the Software Protection Service (SPPSVC). All of the same procedures and commands still work the same as they did in Windows Vista.

Also, the associated SL UI Notification Service (SLUINotify) in Vista was changed to the SPP Notification Service (SPPUINotify) in Windows 7. (SPP means Software Protection Platform)

TechNet source: Windows 7 Activation Issues