Windows Server 2008 and Windows Activation

I recently built a new virtual machine running Windows Server 2008 R2 using volume license media.  I knew that the client already had a Key Management Service (KMS) server on their network to manage the activations of all of their Server 2008, Vista, and Windows 7 clients.  When I clicked on the "Activate Windows" link in the "Initial Configuration Tasks" window, I was surprised to see that my only option was to enter a product key when I clicked.  There wasn't any option to specify the name of their KMS server.

It turns out that you have to run a few command-line tools to tell Windows which Key Management Service machine to use and to then activate Windows without using a product key.  First, it's always a good idea to display the current license information by issuing the following command in a command prompt:

slmgr.vbs -dli

You should see a window such as the following which basically confirms that the product has not been registered:

Now, issue the following command to set the name of the Key Management Service host to use, in this case, server.domain.com:

slmgr.vbs –skms server.domain.com

Of course, if you get an error message such as the following, you'll need to right-click on the Command Prompt icon in your Start Menu, select the Run as administrator option and re-issue the command.

If the command completed successfully, you should see a prompt such as the following:

(Note that the actual name of the KMS server was removed from the graphic above.  If entered correctly, the name should appear immediately after the word "to" in the first line of the message.)

Finally, to complete the activation, you need to enter the following command:

slmgr.vbs –ato

If the registration was successful, you should receive a confirmation such as the following:

If you get an error message similar to the following instead, either you entered the wrong host name or the KMS service on that server could not be reached.

If you are not sure whether you have the correct server name, you could also try to locate the correct server name using the following nslookup commands:

nslookup
set type=srv
_vlmcs._tcp.domain.com

If a Key Management Service has been registered with the domain, it should be listed in the "srv hostname" field.

Pre-Authentication Check Failed

This is a really dumb sequence of error messages generated by the Citrix Access Gateway Secure Access Client.  If you happen to make a typo when entering the web address of the Access Gateway you will likely receive a security alert such as the following warning that the identity of the Citrix Access Gateway you are attempting to connect to cannot be verified.

This warning often appears even when there are no issues with the Access Gateway you are connecting to, rather there may be a proxy server on the network from which you are connecting or some other network device or access rule is blocking the verification -- so you might not think anything of it.  If you click "Yes" to continue, you'll likely receive a more serious warning indicating that your client has failed a pre-authentication check.

Before you start reconfiguring the access policies on your gateway or checking for new hot fixes or updates to apply, you may want to double-check the web address you entered for any typos.  The Citrix Access Gateway client does not actually verify that you entered a legitimate web address, it just goes ahead and tries to use it.  In this case, a simple typo in the web address meant that the host name could not be resolved resulting in the two warnings shown above.

Citrix Access Gateway Plug-In and VMware Workstation Compatibility

Here's an interesting problem I ran into recently.  I have a Windows XP virtual machine running in VMware Workstation 7 on a Windows 7 client.  I recently installed the Citrix Access Gateway Plug-in for Windows version 4.6.2  on my Windows 7 client so that I could remotely connect to some of my clients' networks.  I noticed that anytime I launched the Access Gateway Plug-in on my Windows 7 host, I could no longer browse the web or resolve host names from my Windows XP guest.  This really sucked as I was hoping that I would be able to access hosts on client networks from my Windows XP guest as there are still a lot of management tools which are not compatible with Windows 7, Cisco's Fabric Manager for example.  I eventually stumbled upon an interesting fix.  In order to allow the Windows XP guest to share the SSL VPN connection to a client's network on the host, you have to configure the network adapter on the virtual machine to use NAT rather an a bridged connection.

Of course, another solution would have been to install the Citrix Access Gateway client within the Windows guest VM and leave the network connection set to "bridged."  This would allow you to establish a VPN connection directly from your guest VM without also connecting the host.  This is great for testing and troubleshooting external access as the host (or other guest VMs) would remain outside the client's network.  However, once you load the Citrix Access Gateway client on the host, guest VMs configured to use a bridged connection appear to lose all network connectivity.  I haven't been able to figure a solution for that scenario.