Windows Server Backup

# Install the Windows Server Backup GUI & CLI tools using PowerShell (as Admin):
Import-Module ServerManager
Add-WindowsFeature Backup-Features -IncludeAllSubFeature (2008/R2)
Add-WindowsFeature Windows-Server-Backup -IncludeAllSubFeature (2012/R2)

# Save one or more of the following scripts to a batch file (e.g. C:\Scripts\RunServerBackup.bat)

# Command to perform a Bare Metal Recovery (BMR) full OS backup:
WBADMIN START BACKUP -backupTarget:D: -allCritical -systemState -quiet
# Command to backup only the System state and keep last 5 versions:
WBADMIN START SYSTEMSTATEBACKUP -backupTarget:D: -quiet
WBADMIN DELETE SYSTEMSTATEBACKUP -keepVersions:5 -backupTarget:D: -quiet
# Command to log the current backups available for restore:
WBADMIN GET VERSIONS -backupTarget:D: >D:\Backup.txt

# Create a new scheduled task to run a server backup at 5am Monday to Friday:
SCHTASKS /Create /RU "SYSTEM" /SC WEEKLY /D MON,TUE,WED,THU,FRI /TN ServerBackup /RL HIGHEST /ST 05:00 /TR "C:\Scripts\RunServerBackup.bat"

# Check the size of the VSS storage space reserved for backups:
vssadmin List ShadowStorage /On=D:

# Adjust the size of the VSS storage space reserved for backups:
vssadmin Resize ShadowStorage /For=D: /On=D: /MaxSize=40%

# Create an AD snapshot (e.g. before making a change):
ntdsutil "Activate Instance NTDS" snapshot create quit quit

Delete old backups

DiskShadow.exe

List shadows ALL

Delete shadows ID <Shadow Copy ID>

Delete shadows OLDEST D:

Delete shadows ALL

Wbadmin delete catalog

Wbadmin delete systemstatebackup

Service details

Service name: wbengine

Display name: Block Level Backup Engine Service

Description: The WBENGINE service is used by Windows Backup to perform backup and recovery operations. If this service is stopped by a user, it may cause the currently running backup or recovery operation to fail. Disabling this service may disable backup and recovery operations using Windows Backup on this computer.

Path to exectuable: "C:\Windows\system32\wbengine.exe"

Startup type: Manual

Log on as: Local System account

Batch restart service: net stop wbengine && net start wbengine

GUI details

Name: Windows Server Backup

Target: wbadmin.msc

Start in: "%windir%\system32"

Comment: Perform a backup or recovery of this server.

References

• Backup Version and Space Management in Windows Server Backup
• Bare Metal Restore
• Diskshadow
• Ntbackup
• Ntdsutil
• Vssadmin
• Wbadmin
• Windows NT Backup - Restore Utility

The 497 Day Uptime Bug

Issue

1. All the TCP/IP ports that are in a TIME_WAIT status are not closed after 497 days from system startup. Therefore, TCP/IP ports may be exhausted, and new TCP/IP sessions may not be created. All the TCP/IP ports that are in a TIME_WAIT status are not closed after 497 days from system startup. Therefore, TCP/IP ports may be exhausted, and new TCP/IP sessions may not be created.
2. TCP/IP chimney offloading fails after 248.5 days. Therefore, systems will stop responding after 248.5 days if offloading connections are being used.

Resolution

• Schedule more frequent server reboots
• Apply a hotfix

Background

The reason that 497  is a problem number is because of the use of a 32 bit counter to record uptime.   If you record a tick for every 10 msec of uptime, then a 32-bit counter will overflow after approximately 497.1 days.  This is because a 32 bit counter equates to 2^32, which can count 4,294,967,296 ticks.  Because a tick is counted every 10 msec, we create 8,640,000 ticks per day (100*60*60*24).  So after 497.102696 days, the counter will overflow.

Some systems have a problem at 248.551348 days (half of that) if they use a signed 32 bit integer to store the value (one less bit to work with).

Note that this bug does not only affect Microsoft products. Other vendors to be affected by this bug include: Avaya, Brocade, Cisco, EMC, QLogic and VAX/VMS.

Links

• 497 days of uptime kills Windows
• 497 - The number of the IT beast
• MSKB 2553549 - ports that are in a TIME_WAIT status are not closed after 497 days

Best Practices for Virtualizing Domain Controllers

Virtual DC Best Practices

1. DCs require VM High Availability
2. Never pause, clone or snapshot a DC
3. Not all backups are created equal
4. Avoid clock drift
5. Don't overprovision resources
6. Ensure backups actually work
7. Implement anti-affinity rules
8. Separate client and administrative traffic
9. Prioritise quick object restores
10. Monitor storage performance
11. Remain a bit physical
12. Have a plan for disaster recovery

Reference documents

• Things to consider when you host Active Directory in virtual hosting environments
• Running Domain Controllers in Hyper-V
• Virtualizing Active Directory Domain Controllers: General Best Practices
• VMware Whitepaper - Virtualizing a Windows Active Directoy Domain Infrastructure
• Virtualizing Active Directory Domain Services On VMware vSphere

Different digital certificate formats

Certificates can be exported in a number of different formats. This blog aims to clear up any confusion around what these formats are.

When exporting certificates in Windows the following options are available.

1. Export the private key:

• .PFX format - Personal Information Exchange - PKCS #12

2. Do not export the private key:

• .CER - DER encoded binary X.509 - use this for non-Windows devices that require the cert.
• .CER - Base-64 encoded X.509 - use this for Windows devices that require the cert.
• .P7B - Cryptographic Message Syntax Standard - PKCS #7 Certificates - use this when you want to export the issuing and root CA certs bundled with the server cert.

How to migrate a XenApp database

Migrating the Database to a Different Version of the SQL Server

Migrating from one database version to the other might be necessary to move the data store to a more powerful server. The best method for migrating between versions of the database is to back up and restore the database using the utilities provided by the database software vendor.

To point a XenApp Server farm to a new database, complete the following steps:
Note: For the best performance, complete this procedure on the data collectors after all other servers are reconfigured.

• Back up the existing farm database and restore the database to the new server.
• Create a new DSN file that points to the restored database.
• Run the dsmaint config command on the server with the new DSN file.
• Stop and restart the IMA Service.

Important: Restarting the IMA Service instead of restarting the server might cause the SNMP service to initiate Dr. Watson, if SNMP is enabled. This error is benign.

• Ensure that the server is pointing to the new data store by verifying the following registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName

• If the IMA Service started successfully, copy the new DSN file to all servers in the farm.
• Run the dsmaint config command to change the IMA Service configuration on all remaining servers in the farm.
• Stop and restart the IMA Service on all servers in the farm.

Tip: You can execute Steps 6 through 8 on all the servers from a simple batch file placed in a central location.

Applicable products

• XenApp 6.5 for Windows Server 2008 R2
• XenApp 6.0 for Windows Server 2008 R2
• XenApp 5.0 for Windows Server 2008

Further reading

• Data Store Migration Strategies (CTX123111)
• Advanced Concepts - XenApp Farm Maintenance (CTX677542)
• Data Store Migration Between Different Database Products (CTX121888)
• Supported Databases for Citrix Products (CTX114501)
• Citrix Presentation Server 4.5 Administrator's Guide (CTX112223)
• XenApp 6.5 for Windows Server 2008 R2 - Data Store Database Reference
• XenApp Server Utilities Reference

Citrix Receiver customizations

External links

• Configure and install Receiver for Windows using command-line parameters
• How to Customize App Shortcuts with Receiver for Windows
• How to Automatically Move Applications to Start Menu Using Receiver for Windows 4.x
• How to improve the user experience (ux)

Citrix Receiver apps open in the background - fixed

Issue

Citrix Receiver 4.x is installed on 64-bit Windows 8.x. Whenever an application is launched from Receiver by clicking on it, it opens in the background (behind the Receiver window). This may cause users to think that nothing is happening and prompt them to click the icon again.

Resolution

The following registry keys need to be applied to the client-side computer, But first, log out of Receiver, close and exit the application by right-clicking on the icon in the system tray / notification area and selecting Exit.

This can also be accomplished by copying the below text, pasting into notepad and saving as a REG file (e.g. "CitrixReceiverRegFix.reg") or by applying through Group Policy.

Note that the below keys are for 64-bit Windows clients. For 32-bit Windows clients, simply remove the "Wow6432Node" key from the entries below:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client]
"ForegroundProgressBar"=dword:00000001
"NotificationDelay"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\WFClient]
"TWISeamlessFlag"="1"

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ForegroundLockTimeout"=dword:00000000

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"ForegroundLockTimeout"=dword:00000000

Cloning Citrix XenApp servers

Links

• Server Cloning with Presentation Server 4.x and XenApp
• XenAppPrep Integration Utility for XenApp and Provisioning Services
• How Sysprep Works
• Cloning a XenApp Server with XenAppPrep
• Using XenApp Prep to Clone a Windows 2008 XenApp 5 Server
• 
  

CRL checking with certutil

Background

You have a server with a valid certificate installed. The Root CA is installed correctly. However, you get an error stating that the certificate is invalid. Applications that rely on the certificate may not work correctly.

Resolution

Try these commands from an Elevated Command Prompt on the server having the issue:

certutil -f –urlfetch -verify [FilenameOfCertificate]

e.g. certutil -f –urlfetch -verify mycertificatefile.cer      ; this is an export of the certificate experiencing the issue

After it runs it should say:

Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

If it fails with an error, try the below commands to see if the CRLs are reachable:

certutil -URL

or

certutil -URL [URLOfCRLToBeChecked]

This command shows the previously downloaded and cached CRLs:

certutil -urlcache CRL

If your server cannot reach the CRLs, it could be due to proxy configuration. Check the config with the following command:

netsh winhttp show proxy

The output should be:

Current WinHTTP proxy settings:
Direct access (no proxy server).

References

• Basic CRL checking with certutil (Windows PKI blog)

Suite B Cryptography

About

Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA's Information Assurance Directorate in solutions approved for protecting National Security Systems (NSS). Suite B includes cryptographic algorithms for encryption, key exchange, digital signature, and hashing.

Cryptographic algorithms

OS Support

Starting with Windows Vista and Server 2008, the Cryptography Next Generation (CNG) Suite B algorithms (including SHA2) are included in the operating system. It is worth noting that even though the algorithms are available, it is up to the individual applications to implement support.

Windows XP requires SP3 to support SHA2 hashes (SHA-256, SHA-384 and SHA-512).

Server 2003 SP2 requires an update to support SHA2 - KB 938397, linked below.

Howver, both Windows XP SP3 and Server 2003 SP2 (with patch) will both require another patch (KB 968730) in order to request certificates from a 2008 CA that was signed with a SHA2 hash.

Links

• NSA Suite B Cryptography (NSA/CSS)
• SHA2 and Windows (Windows PKI blog)
• Common Questions about SHA2 and Windows (Windows PKI blog)
• Cryptography Next Generation (TechNet)
• KB 938397
• KB 968730

Citrix XenApp error message: You do not have permissions to execute 16-bit applications

Background

When launching a 16-bit application on a 32-bit Windows Server 2008 Enterprise SP2 OS server running Citrix XenApp 5.0, the user receives a "wfshell.exe - System Error" dialog box that states the application executable "is a 16-bit application. You do not have permissions to execute 16-bit applications. Check your permissions with your system administrator".

After clicking OK to this error, another dialog box is displayed. This one, titled "Citrix XenApp" states that the application "failed to start. The Citrix server is unable to process your request to start this published application. Please try again. If the problem persists, contact your administrator".

Cause

This error happens because 16-bit applications have been restricted from running. This may be through Group Policy, the Local Policy, or a registry entry.

The user's roaming profile could have "caught this disease" after they logged onto a server that had disabled the running of 16-bit applications due to security reasons, and their roaming profile was updated as a result of this.

This issue can occur if any one of the following files are missing, damaged, or not located in the %systemroot%\System32 folder:

• Autoexec.nt
• Command.com
• Config.nt

Resolution

There are a few potential resolutions to this problem.

One is the following Local or Group Policy setting:

Administrative Templates > Windows Components > Application Compatibility

Setting: Prevent access to 16-bit applications

State: Disabled

Another is the following Windows Registry settings:

Key: HKLM\System\CurrentControlSet\Control\WOW
Name: DisallowedPolicyDefault
Type: DWORD (32-bit)
Value: 0

Key: HKLM\Software\Policies\Microsoft\Windows\AppCompat
Name: VDMDisallowed
Type: REG_DWORD
Value: 0

Key: HKU\{Users_SID}\Software\Policies\Microsoft\Windows\AppCompat
Name: VDMDisallowed
Type: REG_DWORD
Value: 0

The last registry setting needs to be updated whilst the user is logged onto the Citrix server. They then need to log off and back on again for the changes to take effect. Another way would involve updating the user's roaming profile (NTUSER.DAT) by loading this hive in REGEDIT whilst the user is logged out of Citrix and making the changes before unloading the hive and asking them to log on again.

This could also be scripted by using REG.EXE if needed by running the following command:

REG ADD HKLM\Software\Policies\Microsoft\Windows\AppCompat /t REG_DWORD /v VDMDisallowed /d 0

Lastely, run a GPUPDATE /FORCE or reboot the server for good effect!

Links

• AppCompat\VDMDisallowed
• Error message when you run an MS-DOS or 16-Bit Windows program

Register a Service Principal Name for Kerberos Connections

Background

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The Kerberos authentication service can use an SPN to authenticate a service. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

References

• Register a Service Principal Name for Kerberos Connections
• How to Configure an SPN for SQL Server Site Database Servers
• What SPN do I use and how does it get there?

DISM commands

Deployment Image Servicing and Management tool

Version: 6.3.9600.17031


DISM.exe [dism_options] {Imaging_command} [<Imaging_arguments>]
DISM.exe {/Image:<path_to_offline_image> | /Online} [dism_options]
         {servicing_command} [<servicing_arguments>]

DESCRIPTION:

  DISM enumerates, installs, uninstalls, configures, and updates features
  and packages in Windows images. The commands that are available depend
  on the image being serviced and whether the image is offline or running.

GENERIC IMAGING COMMANDS:

  /Get-MountedImageInfo   - Displays information about mounted WIM and VHD
                            images.
  /Get-ImageInfo          - Displays information about images in a WIM or VHD
                            file.
  /Commit-Image           - Saves changes to a mounted WIM or VHD image.
  /Unmount-Image          - Unmounts a mounted WIM or VHD image.
  /Mount-Image            - Mounts an image from a WIM or VHD file.
  /Remount-Image          - Recovers an orphaned image mount directory.
  /Cleanup-Mountpoints    - Deletes resources associated with corrupted
                            mounted images.
WIM COMMANDS:

  /Capture-CustomImage    - Captures customizations into a delta WIM file on a
                            WIMBoot system. Captured directories include all
                            subfolders and data.
  /Get-WIMBootEntry       - Displays WIMBoot configuration entries for the specified disk volume.
  /Update-WIMBootEntry    - Updates WIMBoot configuration entry for the specified disk volume.
  /List-Image             - Displays a list of the files and folders in a
                            specified image.
  /Delete-Image           - Deletes the specified volume image from a WIM file
                            that has multiple volume images.
  /Split-Image            - Splits an existing .wim file into multiple
                            read-only split WIM (SWM) files.
  /Export-Image           - Exports a copy of the specified image to another
                            file.
  /Append-Image           - Adds another image to a WIM file.
  /Capture-Image          - Captures an image of a drive into a new WIM file.
                            Captured directories include all subfolders and
                            data.
  /Apply-Image            - Applies an image.
  /Get-MountedWimInfo     - Displays information about mounted WIM images.
  /Get-WimInfo            - Displays information about images in a WIM file.
  /Commit-Wim             - Saves changes to a mounted WIM image.
  /Unmount-Wim            - Unmounts a mounted WIM image.
  /Mount-Wim              - Mounts an image from a WIM file.
  /Remount-Wim            - Recovers an orphaned WIM mount directory.
  /Cleanup-Wim            - Deletes resources associated with mounted WIM
                            images that are corrupted.

IMAGE SPECIFICATIONS:

  /Online                 - Targets the running operating system.
  /Image                  - Specifies the path to the root directory of an
                            offline Windows image.

DISM OPTIONS:

  /English                - Displays command line output in English.
  /Format                 - Specifies the report output format.
  /WinDir                 - Specifies the path to the Windows directory.
  /SysDriveDir            - Specifies the path to the system-loader file named
                            BootMgr.
  /LogPath                - Specifies the logfile path.
  /LogLevel               - Specifies the output level shown in the log (1-4).
  /NoRestart              - Suppresses automatic reboots and reboot prompts.
  /Quiet                  - Suppresses all output except for error messages.
  /ScratchDir             - Specifies the path to a scratch directory.

For more information about these DISM options and their arguments, specify an
option immediately before /?.

  Examples:
    DISM.exe /Mount-Wim /?
    DISM.exe /ScratchDir /?
    DISM.exe /Image:C:\test\offline /?
    DISM.exe /Online /?

OS Deployment and Imaging

The DISM method

To integrate packages into an image by using the DISM method, follow these steps:

1.Download the standalone package for the update or updates that you want to integrate.
2.Create a new directory to expand the update package.
3.Extract the update package by using the following command:

expand -f:* <path to .msu> <destination>

  For example, the following command expands update 2959977 to the C:\Cabs folder:

expand -f:* Windows8.1-KB2939087-x64.msu C:\Cabs

4.Integrate the expanded cabinet (.cab) file into the image from the expanded package by using the following command:

DISM /Online /Add-Package /PackagePath:<path to extracted .cab file from step 3>

  For example, the command to integrate the update 2959977 .cab file would be as follows:

DISM /Online /Add-Package /PackagePath:c:\cabs\Windows8.1-KB2959977-x64.cab

Reference: https://support.microsoft.com/en-us/kb/3037986

Active Directory Certificate Services

Introduction

Active Directory Certificate Services (AD CS) provides a Public Key Infrastructure (PKI) that can be used to distribute certificates from a trusted source to enable the following:

• Secure data transmission to a known recipient through encryption
• Signing of code and documents that confirms who the sender is and that the data has not been tampered with in any way

PKI uses

• Control access to the network with 802.1x authentication
• Approve and authorize applications with Code Signing
• Protect user data with EFS
• Secure network traffic using IPSec
• Remote access via Virtual Private Network (VPN)
• Protect LDAP-based directory queries Secure LDAP
• Implement two-factor authentication with Smart Cards
• Secure web traffic (HTTPS)
• Implement Secure Email (S/MIME)
• Mobile devices connecting to Exchange Server infrastructures
• Mutual authentication of Exchange Server components

Applications that may use certificates

• Active Directory
• Exchange
• IIS
• Internet Security & Acceleration Server
• Office Communications Server
• Outlook
• System Center Configuration Manager
• Windows Server Update Services

Hardware Security Module

A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Hardware security modules act as trust anchors that protect the cryptographic infrastructure of organizations by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.

Terminology

• AD CS - Active Directory Certificate Services
• AIA - Authority Information Access
• CA - Certification Authority
• CDP - CRL Distribution Point
• CEP - Certificate Enrollment Policy
• CES - Certificate Enrollment Service
• CP - Certificate Policy
• CPS - Certificate Practice Statement
• CRL - Certificate Revocation List
• CSP - Cryptographic Service Provider
• DRA - Data Recovery Agent
• HSM - Hardware Security Module
• KRA - Key Recovery Agent
• KSP - Key Storage Provider
• OID - Object Identifier
• OSCP - Online Certificate Status Protocol
• PEN - Private Enterprise Number
• PKI - Public Key Infrastructure
• SCEP - Simple Certificate Enrollment Protocol

Links

• Active Directory Certificate Services
• Certification Authority Guidance (Server 2012)
• Active Directory Certificate Services Step-by-Step Guide
• Public Key Infrastructure Design Guidance
• Designing and Implementing a PKI
• Implementing PKI Using Microsoft Windows Server 2012 Certificate Services
• A Microsoft PKI Quick Guide
• Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide
• Design Considerations before Building a Two Tier PKI Infrastructure
• Designing a Public Key Infrastructure
• Windows PKI Documentation Reference and Library
• Set Up a Certification Authority by Using a Hardware Security Module
• Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
• Windows PKI documentation reference
• Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services
• Deploying Enterprise PKI on Windows Server 2012 R2

It's about time...

Introduction

The Windows Time service (W32Time) uses Network Time Protocol (NTP) to synchronize the time across server and client operating systems in a domain hierarchy.

W32Time is not considered to be precise or reliable, and is not supported as an accurate time source. The service was designed to do the following:

• Support the Kerberos V5 authentication protocol
• Provide loose sync time for client computers

The W32Time service cannot reliably maintain sync time to the range of one to two seconds. Such tolerances are outside the design specification of the W32Time service.

The National Institute of Standards and Technology (NIST) maintains a list of third-party publishers of time and frequency software.

UPDATE:
Beginning in Windows Server 2016, Windows now supports highly accurate time with up to 1ms (millisecond) accuracy!

In the past it was necessary to use a 3rd party product (e.g. Greyware's "Domain Time II") to guarantee accurate time synchronisation for Windows (Linux does this out of the box).

The following is a quote from Microsoft’s website:

Earlier versions of Windows (Prior to Windows 10 1607 or Windows Server 2016 1607) cannot guarantee highly accurate time. The Windows Time service on these systems:

• Provided the necessary time accuracy to satisfy Kerberos version 5 authentication requirements
• Provided loosely accurate time for Windows clients and servers joined to a common Active Directory forest

Tighter accuracy requirements were outside of the design specification of the Windows Time Service on these operating systems and is not supported.

Time accuracy in Windows 10 and Windows Server 2016 has been substantially improved, while maintaining full backwards NTP compatibility with older Windows versions. Under the right operating conditions, systems running Windows 10 or Windows Server 2016 and newer releases can deliver 1 second, 50ms (milliseconds), or 1ms accuracy.

Time Synchronization in an AD DS Hierarchy

In a Windows domain, the Forest Root Domain PDC Emulator FSMO role holder is the server that is considered to be the best time source and should be configured to sync with an external, reliable time source (such as an Internet NTP Time Server).

Client servers and workstations will synchronize with their authenticating Domain Controller (DC).

DCs can sync with the PDC Emulator in their own domain, or any DC in the parent domain.

DCs in the forest root domain will sync with their PDC Emulator.

How to reinstall the Windows Time service and reset the default configuration

• net stop w32time
• w32tm /unregister
• w32tm /register
• net start w32time

Helpful links

• How the Windows Time Service Works
• How the Windows Time service treats a leap second
• Windows Time Service Tools and Settings
• Windows Time Service Technical Reference
• 3rd Party Publishers of Time and Frequency Software (NIST)
• Support boundary to configure the Windows Time service for high-accuracy environments
• Configuring Systems for High Accuracy
• Accurate Time for Windows Server 2016

Microsoft Product Licensing and Volume Activation

What is volume activation?

Volume activation is an authentication process that assures that your software copy is genuine. Activation is part of deployment and a core piece of the planning stage for Windows client and server operating systems and Office applications.

Licensed products:

• Windows Server OS
• Windows Client OS
• Microsoft Office family of products

Activation methods:

• Online (requires an active Internet connection)
• By phone (can be used when there is no Internet connection)

License types:

• Retail - the software is purchased "off the shelf" from a retailer and you install it yourself. The license key is included on the back of the product's CD/DVD packaging.
• Original Equipment Manufacturer (OEM) - the software comes pre-installed on the device. A copy of the software is included along with the product key.
• Volume licensing - you download the software and install it on company owned equipment based on an agreement with Microsoft for a set number of units. There are a number of different activation options available, as stated below:

Terminology:

• Client Machine IDs (CMIDs)
• Generic Volume License Key (GVLK)
• Key Management Service (KMS)
• Multiple Activation Key (MAK)
• Volume License Service Center (VLSC)

Volume licensing activation options:

• Key Management Service (KMS)
• Multiple Activation Key (MAK)
• Active-Directory-Based Activation
• Automatic Virtual Machine Activation (AVMA)

Volume licensing tools:

• KMS Client Setup Keys (GVLK)
• Volume Activation Management Tool (VAMT)
• Windows Assessment and Deployment Kit (ADK)

DNS Publishing of KMS server:

• Creates a SRV (service) RR (resource record) called "_VLMCS" located in DNS Forward Lookup Zones\DomainFQND\_tcp
• Disable DNS publishing: slmgr.vbs /cdns
• Enable DNS publishing: slmgr.vbs /sdns
• Registry: Create a new DWORD value called "DisableDnsPublishing" and set it's value to 1 -  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"
• Publish to multiple DNS Domains: Create a new multi-string value "DnsDomainPublishList" in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" which contains the DNS domain suffixes of each domain.
• Restart Software Licensing service (SLsvc) or Software Protection service (sppsvc) on host
• Locate your KMS server: nslookup -type=srv _vlmcs._tcp

Configuration defaults:

• Volume license activation interval: 2 hours
• Volume license renewal interval: 7 days
• Volume activation expiration: 180 days
• KMS Host protocol & port: TCP 1688

Volume licensing guides:

• Volume Activation Overview
• Volume Activation Operations Guide
• Volume Activation Technical Reference Guide
• Volume Activation Planning Guide
• Volume Activation Deployment Guide
• Volume Activation Management Tool (VAMT) Technical Reference
• Windows 8.1 licensing and volume activation
• Windows 7 licensing and volume activation
• Microsoft Product Activation
• Remote Desktop Licensing Manager

Errors and troubleshooting:

• How to troubleshoot the Key Management Service (KMS)
• Frequently asked questions about the Office Activation Wizard
• Solutions to Common Volume Activation Errors
• Event ID 12293: 0x80072338 error registering KMS host in DNS
• Update adds support for Windows 8.1 and Windows Server 2012 R2 clients
• Activation against KMS Host stops working after it is virtualised (P2V'ed): This is because the activation is tied to the hardware configuration. As such it needs to be reactivated using the command "slmgr.vbs /ato [Activation ID]" where the [Activation ID] can be obtained from running the command "slmgr.vbs /dlv" on the KMS Host. Restart "sppsvc" or "slsvc" service.