Windows Activation, to some, has become confusing and a source of constant trouble. Why? Because they didn’t read the documentation. Gone are the days of simply inserting a CD or DVD and installing a Microsoft product. The single biggest source of confusion is the existence of two types of activation keys: KMS and MAK.

KMS stands for Key Management Service and is used to install a system hosting the KMS. A system hosting KMS activates other systems in your environment that have not yet been activated. These un-activated systems find the KMS system by looking for an SRV DNS record named _VLMCS._TCP.

KMS keys can be used on either Vista or Server 2008 systems. Once you activate a system with a KMS key, it becomes a KMS server. You do not have to install any additional roles or features to accomplish this, it is all built-in. The system will, by default, automatically register the proper DNS record automatically. The bottom line here is that if the system is not supposed to be a KMS, do not use a KMS key to activate it.

Once, the KMS is itself activated using a KMS key, it will in turn activate other systems without any further communication with Microsoft. Systems that activate against a KMS do not need to have a product key explicitly installed; a generic key is used during Windows installation. This key is stored in a file called pid.txt in the source folder on the installation media and can only be used to activate a system against a KMS. You can also get these keys for Windows editions eligible to be activated by a KMS from the Volume Activation 2.0 Deployment Guide if necessary. Note that only Vista Business and Vista Enterprise can activate against a KMS in addition to all versions and editions of Server 2008.

KMS systems do not relay their database or specific activation details to Redmond. This is not a way for Microsoft to spy on you and your organization. KMS is designed to prevent piracy of corporate keys which was very rampant with Windows XP and Server 2003. KMS is also designed  to make it very easy to activate Windows in a corporate environment: you never actually have to distribute any keys anymore once you have a KMS up and running. If you are worried about rogue installations of Windows, simply disable the automatic publishing of the DNS record. You will have to point each system manually at the KMS system for activation, but this is far simpler than having to give out and maintain keys.

MAK stands for Multiple Activation Key and is used to activate individual systems when a KMS is not feasible or accessible. Systems where an MAK is used for activation contact Redmond to activate. Each MAK can only be used a set number of times before it will not allow any more systems to be activated with it. The number of times an MAK can be used is set by the licensing folks at Microsoft and can be extended with a phone call to them.

In general, in corporate environments, MAK keys should only be used by systems that are not directly attached to the corporate network regularly; e.g., remote user’s laptops.

If you are using a KMS key on every one of your systems, stop the insanity now. KMS keys, like MAK keys, can only be activated a set number of times. You will eventually max this number out and be left in the cold. Of course you will be able to call the licensing folks at Microsoft to try to extend this, but they will probably laugh at you and ask why you didn’t read the documentation.

The following diagram shows the activation paths for the various key types used.

Windows Activation Paths Based on Key Type

Part 2 of this post will cover how a KMS works and its limitations and Part 3 will cover troubleshooting KMS.