Prerequisites for KMS Activation
- You must provide a KMS host with the appropriate Volume License media. KMS clients must also have the appropriate Volume License media to activate against the KMS host.
- KMS clients must be able to access a KMS host. Consider the following:
Firewalls and the router network may need to be configured to pass communications for the TCP port that will be used (default 1688).If the Windows Firewall is used, no configuration is required on the client computer, because bi-directional TCP sessions that originate from the client computer are automatically allowed. You can configure the TCP port on the client computer or KMS host by using the slmgr.vbs script or setting registry values. You can also set up Group Policy for this. An exception has been added to the Windows Firewall to facilitate opening the default port 1688.
- If IPSec authentication is used to restrict end-to-end communication between computers in the network, you may need to configure one or more KMS hosts as “boundary machines,” that is, disable IPSec authentication in some situations. For example, some of your clients may be in workgroups or you may have domain-based clients that must access a KMS host across an Active Directory forest. The procedure for configuring this is beyond the scope of this guide.
- You may need to configure the Applications and Services Logs\Key Management Service event log on KMS hosts to ensure that it is large enough to accommodate the volume expected in your organization. Each 12290 event, which occurs every time a KMS client connects to the KMS host, requires approximately 1,000 bytes. You can set the log size in the Log Properties dialog box.
Configuring KMS Hosts
1. Optionally configure the TCP communications port that the KMS host will use by running:cscript C:\windows\system32\slmgr.vbs -sprt
2. Optionally disable automatic DNS publishing by using the following scripts:cscript C:\windows\system32\slmgr.vbs -cdnsRe-enable automatic DNS publishing using the following script:cscript C:\windows\system32\slmgr.vbs -sdns
3. Optionally set the KMS host to process using lowered scheduler priority:cscript C:\windows\system32\slmgr.vbs -cpriRevert to normal priority:cscript C:\windows\system32\slmgr.vbs –spri
4. Optionally set the activation interval that clients will use if not activated (default is 120 minutes). Run the script:cscript C:\windows\system32\slmgr.vbs -sai
5. Optionally set the renewal interval that the clients will use for periodically extending their activation expiration (in minutes – default is seven days).
Run the following script:cscript C:\windows\system32\slmgr.vbs -sri
Steps for Configuring KMS Publishing to DNS
- If you are using only one KMS host, you may not need to configure any permission, because the default behavior is to allow a computer to create an SRV record and then update it. However, if you have more than one KMS hosts (the usual case), the others will be unable to update the SRV record unless SRV default permissions are changed.This procedure is an example that has been implemented in the Microsoft environment. It is not the only way to achieve the desired result.Detailed steps for each of the tasks are not provided, because they may differ from one organization to another.
- If you are a domain administrator and want to delegate the ability to carry out the following steps to others in your organization, optionally create a security group in Active Directory and add the delegates, for example, create a group called Key Management Service Administrators, and then delegate permissions to manage the DNS SRV privileges to this security group. The remainder of this procedure assumes that either a domain administrator or delegate is performing the steps.
- Create a global security group in Active Directory that will be used for your KMS hosts, for example, Key Management Service Group.
- Add each of your KMS hosts to this group. They must all be joined to the same domain.
Once the first KMS host is created, it should create the SRV record. Add each KMS host to this security group.
- If the first computer is unable to create the SRV record, it may be because your organization has changed the default permissions. In this case, you will need to create the SRV record manually with the name _VLMCS._TCP (service name and protocol) for the domain. Set the time-to-live (TTL to 60 minutes).
- Set the permissions for the SRV group to allow updates by members of the global security group.
To automatically publish KMS in additional DNS domains
On the KMS host, create the following registry key, using regedit.exe.
Navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SLValue Name: DnsDomainPublishList Type: REG_MULTI_SZValue Data: Enter each DNS Domain that KMS should publish to on separate lines.
Restart the Software Licensing Service and the records should be created immediately.The application event log will contain a 12294 event for each successfully published domain and a 12293 event for each unsuccessful domain publishing attempt.
For the 12293 event, the failure code can be diagnosed by running the following:slui.exe 0x2a 0x
Choose and install the desired volume licensed media. No product key is required during setup.
If you use DNS auto-discovery, no further configuration is required.
For domain-joined computers, the DNS auto-discovery of KMS requires that the DNS zone corresponding to either the primary DNS suffix of the computer or the Active Directory DNS domain contain the SRV resource record for a KMS.
For workgroup computers, DNS auto-discovery of KMS requires that the DNS zone corresponding to either the primary DNS suffix of the computer or the DNS domain name assigned by DHCP (option 15 per RFC 2132) contain the SRV resource record for a KMS.
Configuration is only required for KMS clients that will use direct registration with their KMS host. Direct registration overrides DNS auto-discovery. Configuration can be scripted to run remotely and can use Group Policy or logon scripts, assuming that:
The required services are enabled on the computer.
The port used for KMS communications is not blocked in firewalls or routers.
Access permissions are set correctly. (All methods that are implemented in WMI or through the registry require Administrator privileges unless standard user activation has been enabled).
- On the KMS client, register the KMS host's fully qualified domain name (FQDN), for example kms03.site5.contoso.com and, optionally, the TCP port used to communicate with KMS (if you are not using the default):cscript \windows\system32\slmgr.vbs -skms
- Optionally, the IP or NetBIOS ID (name of the computer) can be used instead of the FQDN.cscript \windows\system32\slmgr.vbs -skms
- To re-enable auto-discovery for a client computer that was registered to use a specific KMS, run the following built-in script:cscript \windows\system32\slmgr.vbs –ckms
Deploying KMS Clients
- Run sysprep /generalize immediately prior to shutting down your deployment reference image. This resets the activation timer, security identifier, and other important parameters. Resetting the activation timer is important to prevent images from requiring activation immediately after starting first boot.Note that running Sysprep does not remove the installed product key and you will not be prompted for a new key during mini-setup.
- Use an imaging technology that is compatible with Windows Vista.
Deploy using standard techniques such as disk duplication or WDS .
Activating a KMS Client Manually
Using the Windows Interface
Open System properties in Control Panel.If you are prompted for permission, click Allow.
Click Click here to activate Windows now.This launches the activation wizard. If you are prompted for permission, click Allow.If your computer has access to the network and a KMS, Windows reports that activation was successful.
Using a script
Launch a command window (with elevated privileges if not running as Administrator).
Run the following script to activate:cscript \windows\system32\slmgr.vbs –ato The script reports activation success or failure, along with a result code.
Converting a Client Computer using MAK Activation to use KMS Activation
Ensure that the computer is connected to the network and can access a KMS host.
Launch a command window (with elevated privileges if not running as Administrator).
Launch a command window with elevated privileges.
Run the following script to install the setup key (this automatically removes the MAK):cscript \windows\system32\slmgr.vbs -ipk