Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Active Directory-Based Activation vs. Key Management Services
Published Sep 19 2018 03:29 PM 61K Views

First published on TechNet on Feb 04, 2013

KMS Activation

 

**Quick Update**

If you're looking to add support to your KMS hosts for Windows 8.1 and Windows Server 2012 R2, you need to install the update mentioned in the following article:

http://support.microsoft.com/kb/2885698

---------------------------------------------------------

 

I still receive TONS of questions on KMS even though it has been around for quite some time now. It’s fairly easy to ramp up on. I can generally bring an admin up to speed in under an hour, if they don’t want to read the documentation (located on TechNet: http://technet.microsoft.com/library/ff793409.aspx).

 

It’s not very complicated. It’s easy to setup. Just very different from Windows Server 2003. So a bit of a fresher on KMS. Don’t worry. I won’t bore you with too many details as there’s a ton of good information out there on volume activation using KMS.

 

So what is KMS?

 

KMS is a service that activates volume license versions of Windows Vista and later as well as Office 2010 and later. Since I’m not an “Office” person, I’ll focus on the Windows side of things. But if you’re curious about Office 2013, look here: http://technet.microsoft.com/en-us/library/ee624357.aspx

In order to activate client operating systems, it requires a count of 25 or server operating systems require a count of 5. These can be any combination of client or server operating systems. By count, we mean that this number of unique KMS clients had to have contacted the KMS host prior to the KMS host activating all KMS clients. Activation lasts for 180 days and attempts to renew with the KMS host every 7 days by default.

 

To setup the KMS host, we use the command line interface slmgr.vbs to install the KMS host key. The KMS host can be cohosted on a VM or physical server of standalone by itself. You can have one or many. If DDNS is enabled, the KMS host automatically creates an SRV record in DNS so that KMS clients can locate a KMS host and activate against it. Here’s a demo that shows how to do this: http://technet.microsoft.com/en-us/windows/ff716620.aspx?ITPID=flpbook

Easy enough.

 

Very little has changed for Windows 8 and Windows Server 2012. However, we added a GUI. Prior to Windows 8 and Windows Server 2012.  For those of you that have KMS hosts setup to support earlier versions of the operating system, you can still use these to activate Windows 8 and Windows Server 2008 R2 as long as the KMS host is running on a Windows 2008 R2 or later operating system. It does require installing an update mentioned in the following article:

http://support.microsoft.com/kb/2757817

 

Afterwards, you then need to install the Windows Server 2012 volume license key and activate it.  This key will activate Windows Server 2012, Windows 8, and client and server operating systems all the way down to Windows Vista and Windows Server 2008.

 

Now for the new stuff.

 

Active Directory-Based Activation

With Windows 8 and Windows Server 2012, we also introduced something better.

It is called Active Directory-Based Activation.

 

It only works with Windows 8, Windows Server 2012, and later and it is forest wide . So for Windows 7/2008 R2 and earlier, you’ll still need to maintain those old KMS hosts.

 

You do not need to have your forest and functional levels at 2012, but you must have updated the schema to support these operating systems using ADPREP. ADPREP is still located on the Windows media if you plan on running it from one of the existing DCs in the environment.

 

1) If you haven’t already done so, run ADPREP from the Windows Server 2012 media to update the schema to support Active Directory-Based Activation.

Note : Make sure you be cognizant and cautious as with any schema update.

 

2) On a Windows Server 2012 machine, install the Volume Activation Services Role

 

 

3) After the role has installed, from Server Manager, select Tools, and then select Volume Activation Tools.

 

4) In the wizard, Active Directory-Based Activation

 

 

5) Enter your KMS host volume license key for Windows Server 2012. You’ll forgive me for not showing my right? :)

 

 

You can optionally choose to enter a display name for the AD object you will be creating.

By default, the name is by default the Activation Object is named Windows® Operating System, Volume_KMS_Channel. I chose to entire in a unique object name for my demo.

 

6) Complete the wizard, but make sure to read the dialog. There’s a trick one at the end.

 

 

Click close on the Activation Succeeded window instead of Next. Last thing you want to do is delete the AD object you just created (although it does have a safety precaution of requiring you to check the box).

 

7) The volume license key must be activated before the domain and clients can be activated. You can do this from the GUI or from the old slmgr.vbs command line.

 

 

From here on, all volume licensed versions of Windows 8 and Windows Server 2012 will be activated as soon as they join the domain.

 

Once you’re activated, if you run slmgr.vbs –dlv, you’ll see the following:

 

 

The Application Event log will show the activation event:

 

 

Using ADSI, you can view the AD object.

 

Multiple activations can be listed here. If you have both client and server SKUs, you'll have two activation objects. As long as the server object is available, the client can be safely deleted as the server object will activate both clients and servers.

 

These objects can be manually deleted using ADSI, but the preferred method is to use Volume Activation Tools.

 

To do so, go back into the same wizard and select the radio button to Skip to Configuration.

 

 

Simply check the Delete checkbox and click on Commit.

 

­

 

Other Details

Activations still last for 180 days.  When a re-activation event, the client will query AD for the Activation Object. Since AD-Based Activation uses AD, we use LDAP instead of the RPC 1688 tcp port used with KMS.

 

In the event that the Active Directory object is unreachable, clients will attempt to use the next available activation method which is the KMS activation method. This means if the AD object is unreachable, the client will go check DNS for an SRV record for a KMS host.

 

If you unjoin a client from the domain, activation will fail on the next license evaluation. This typically occurs when a system is rebooted or the Software Protection Service is restarted. Side note: Don’t disable this service. I’ve seen too many instances of that. It leads to wonky behavior.

 

Enjoy!

 

Charity “AD Activation Makes Activation Even Easier” Shelbourne

 

7 Comments
Version history
Last update:
‎Feb 10 2020 03:17 PM
Updated by: