Out of date VM tools - issue with MS licencing.

0

I had an issue recently, where vmware tools on a production server, went out of date and caused the server in question to become unlicensed, I noticed this completely by accident.

The following error appeared when I tried to run the slmgr -dlv command 0xC004F00F which when I searched comes up with the following:

0xC004F00F The Software Licensing Server reported that the hardware ID binding is beyond level of tolerance. MAK/KMS client/KMS host

The hardware has changed or the drivers were updated on the system.

MAK: Reactivate the system during the OOT grace period using either online or phone activation. KMS: Restart, or run slmgr.vbs /ato.

I've inherited this environment and don't currently have a schedule for updating the vmtools (200+ servers), it was previously done on an ad-hoc basis either when someone notices it or whatever.... :(

So I fear an impending avalanche of servers popping off license, and worse still, is there a possibility, that some of these servers, if they go unlicensed for a period, could reach the hourly reboot threshold.

windows
vmware-esxi
licensing
asked on Server Fault Mar 12, 2014 by JJJJNR

2 Answers

2

How do you license?

If it is MAK it will just reacticate on slmggr /ATO.

If it is KMS - which it should be - it will reactivate with slmgr /ATO from the KMS.

So, what is the question here? That you need to have licenses reactivating? That is a technicality and not complicated to script.

And servers do not hourly reboot. I had a machine at a custoemr that went unlicensed for a long time mostly because customer uses KMS and that machine had no access to it until a recent patch fixed the RRAS routing. Never got a reboot.

Thank heaven with 2012 R2 those times are over as VM's "pull" the license from the host.

answered on Server Fault Mar 12, 2014 by TomTom
1

Microsoft have come back to me in relation to this issue, and this is what they have to say.

Yes, it is possible that when VMWare tools go out of date on the VMs the activation on the machine might get into Out-of-Tolerance mode and then eventually into notification mode if you do not reactivate the machine.

Windows Activation Technologies in Windows 7 http://technet.microsoft.com/en-us/library/dd979803.aspx

Excerpt from the above articles:

The software licensing architecture governs the licensing condition of computers that are running Windows operating systems. This architecture has a policy engine built from a number of core Windows security technologies. It is designed to protect the code and the associated licensing condition from tampering or other malicious behavior.

The policy engine gets data from a set of cryptographically signed eXtensible rights Markup Language (XrML) license files. XrML is an industry-standard rights expression language that a number of Windows components use. License files define the rights and conditions of the installed edition of Windows. All licensing files and other data that the policy engine uses are digitally signed or encrypted by using keys that are chained to secure roots of trust with Microsoft.

Windows 7 and Windows Server 2008 R2 may be in one of four software licensing conditions: activated, grace, genuine, or notifications. The following sections describe these conditions, which reflect the status of the computer’s activation and genuine state, which dictates the user experience. Figure 6 illustrates these conditions.

Figure 6 License states Activated

enter image description here

When a computer is activated, users can access the full functionality of the operating system. A combination of licensing files and a set of policies (rights) granted as a result of the activation process defines the functionality for a Windows edition. Individual Windows components call software licensing application programming interfaces (APIs) to determine which rights are granted and adjust their functionality according to the response. Grace

After installing a Windows 7 or Windows Server 2008 R2 operating system but before activating it, users can access the full functionality of the operating system for a limited time (the grace period). The length of a grace period is 30 days for either the client or server operating system. During this initial grace period, the operating system periodically notifies the user that the computer needs to be activated. Additionally, Windows can fall in to out-of-tolerance grace when the hardware changes significantly. The notifications are minimally intrusive and may not start at the beginning of the grace period, but they increase in frequency toward the end of the grace period. Genuine The genuine state is not associated with the activation process. Instead, it is a condition determined by the online genuine validation service. When a user attempts to download or use a genuine-only feature, the online validation service checks the operating system of the requesting computer. An operating system can have one of three genuine states: 1. Non-genuine. The computer has obtained a ticket from the online validation service indicating that it is not genuine. 2. Local genuine. The computer has not obtained a validation ticket. 3. Genuine. The computer has a ticket that is signed by Microsoft from the online validation service indicating that it is genuine.

The genuine license condition applies only to client versions of the Windows operating system. Initially, during the grace period, a computer running these Windows versions is always in a local genuine condition. A computer is never marked non-genuine until after it fails validation through the online validation service and receives a non-genuine ticket. Likewise, after a computer has a non-genuine status, it must successfully validate itself through the online validation service to receive a genuine ticket.

Although it is necessary for a computer to be activated to be considered genuine, the process of activation does not reset or clear a previous non-genuine status. As a result, to return a computer to a fully functional activated condition, it must be both activated and validated against the online validation service. For more information, see Genuine Microsoft Software http://go.microsoft.com/fwlink/?LinkId=151993 on the Microsoft Web site. Notifications

The purpose of the notifications-based experience is to differentiate between an activated (genuine) from an unlicensed (non-genuine) copy of Windows in a way that maintains computer functionality, such as logon, access to the familiar desktop, and so on.

Reduced Functionality Mode (RFM) is not in Windows 7 or Windows Server 2008 R2. Instead, both operating systems have a notifications-based experience. This new notifications user experience means that computers that are not activated during their grace periods (initial activations and those that result from hardware changes) or that fail validation may provide the following user experience: 1. After logging on to the computer, users see a dialog box reminding them that Windows must be activated along with options to activate now or later. If users do not interact with this dialog box within two minutes, the logon process continues normally. 2. In the notifications state, Windows changes the desktop wallpaper to a solid black background, displays notifications in the notification area indicating the activation state, and displays dialog boxes showing actions that the user must take. 3. In the notifications state, users have access to the full functionality of the installed version of Windows, with the following features disabled: 1. A computer configured as a KMS host responds to KMS client requests with an error message that KMS has not been activated. 2. Windows Update downloads security and critical updates (optional updates are excluded). 3. Optional downloads requiring the online validation service—also referred to as genuine-gated downloads—are not available. The computer must be activated for it to leave the notifications state.

answered on Server Fault Apr 28, 2014 by JJJJNR

User contributions licensed under CC BY-SA 3.0