Active Directory-Based Activation vs. Key Management Services

Published Sep 19 2018 03:29 PM 30.6K Views

First published on TechNet on Feb 04, 2013

KMS Activation


**Quick Update**

If you're looking to add support to your KMS hosts for Windows 8.1 and Windows Server 2012 R2, you need to install the update mentioned in the following article:



I still receive TONS of questions on KMS even though it has been around for quite some time now. It’s fairly easy to ramp up on. I can generally bring an admin up to speed in under an hour, if they don’t want to read the documentation (located on TechNet:


It’s not very complicated. It’s easy to setup. Just very different from Windows Server 2003. So a bit of a fresher on KMS. Don’t worry. I won’t bore you with too many details as there’s a ton of good information out there on volume activation using KMS.


So what is KMS?


KMS is a service that activates volume license versions of Windows Vista and later as well as Office 2010 and later. Since I’m not an “Office” person, I’ll focus on the Windows side of things. But if you’re curious about Office 2013, look here:

In order to activate client operating systems, it requires a count of 25 or server operating systems require a count of 5. These can be any combination of client or server operating systems. By count, we mean that this number of unique KMS clients had to have contacted the KMS host prior to the KMS host activating all KMS clients. Activation lasts for 180 days and attempts to renew with the KMS host every 7 days by default.


To setup the KMS host, we use the command line interface slmgr.vbs to install the KMS host key. The KMS host can be cohosted on a VM or physical server of standalone by itself. You can have one or many. If DDNS is enabled, the KMS host automatically creates an SRV record in DNS so that KMS clients can locate a KMS host and activate against it. Here’s a demo that shows how to do this:

Easy enough.


Very little has changed for Windows 8 and Windows Server 2012. However, we added a GUI. Prior to Windows 8 and Windows Server 2012.  For those of you that have KMS hosts setup to support earlier versions of the operating system, you can still use these to activate Windows 8 and Windows Server 2008 R2 as long as the KMS host is running on a Windows 2008 R2 or later operating system. It does require installing an update mentioned in the following article:


Afterwards, you then need to install the Windows Server 2012 volume license key and activate it.  This key will activate Windows Server 2012, Windows 8, and client and server operating systems all the way down to Windows Vista and Windows Server 2008.


Now for the new stuff.


Active Directory-Based Activation

With Windows 8 and Windows Server 2012, we also introduced something better.

It is called Active Directory-Based Activation.


It only works with Windows 8, Windows Server 2012, and later and it is forest wide . So for Windows 7/2008 R2 and earlier, you’ll still need to maintain those old KMS hosts.


You do not need to have your forest and functional levels at 2012, but you must have updated the schema to support these operating systems using ADPREP. ADPREP is still located on the Windows media if you plan on running it from one of the existing DCs in the environment.


1) If you haven’t already done so, run ADPREP from the Windows Server 2012 media to update the schema to support Active Directory-Based Activation.

Note : Make sure you be cognizant and cautious as with any schema update.


2) On a Windows Server 2012 machine, install the Volume Activation Services Role



3) After the role has installed, from Server Manager, select Tools, and then select Volume Activation Tools.


4) In the wizard, Active Directory-Based Activation



5) Enter your KMS host volume license key for Windows Server 2012. You’ll forgive me for not showing my right? :)



You can optionally choose to enter a display name for the AD object you will be creating.

By default, the name is by default the Activation Object is named Windows® Operating System, Volume_KMS_Channel. I chose to entire in a unique object name for my demo.


6) Complete the wizard, but make sure to read the dialog. There’s a trick one at the end.



Click close on the Activation Succeeded window instead of Next. Last thing you want to do is delete the AD object you just created (although it does have a safety precaution of requiring you to check the box).


7) The volume license key must be activated before the domain and clients can be activated. You can do this from the GUI or from the old slmgr.vbs command line.



From here on, all volume licensed versions of Windows 8 and Windows Server 2012 will be activated as soon as they join the domain.


Once you’re activated, if you run slmgr.vbs –dlv, you’ll see the following:



The Application Event log will show the activation event:



Using ADSI, you can view the AD object.


Multiple activations can be listed here. If you have both client and server SKUs, you'll have two activation objects. As long as the server object is available, the client can be safely deleted as the server object will activate both clients and servers.


These objects can be manually deleted using ADSI, but the preferred method is to use Volume Activation Tools.


To do so, go back into the same wizard and select the radio button to Skip to Configuration.



Simply check the Delete checkbox and click on Commit.




Other Details

Activations still last for 180 days.  When a re-activation event, the client will query AD for the Activation Object. Since AD-Based Activation uses AD, we use LDAP instead of the RPC 1688 tcp port used with KMS.


In the event that the Active Directory object is unreachable, clients will attempt to use the next available activation method which is the KMS activation method. This means if the AD object is unreachable, the client will go check DNS for an SRV record for a KMS host.


If you unjoin a client from the domain, activation will fail on the next license evaluation. This typically occurs when a system is rebooted or the Software Protection Service is restarted. Side note: Don’t disable this service. I’ve seen too many instances of that. It leads to wonky behavior.




Charity “AD Activation Makes Activation Even Easier” Shelbourne


Senior Member
Hello, If two departments, financially independant, share the same forest with two distinct domains, is there a way to have Active Directory based activation and avoid that one department is using the activation threshold from the other department?
Occasional Visitor


Peut-on installer le service ADBA dans un sous-domaine (par exemple subdomain1.maforet.local)  d'une foret sans craindre "d'effets indésirables" (activation inter-domaine par exemple) sur les autres domaines de la foret?

(Serveur en 2019 - DC en 2012r2 - version du schema 2019)






Merci de vos retours.

New Contributor

slmgr.vbs –dlv  should be  slmgr.vbs /dlv otherwise you get errors with the report, please update documentation.

Also the part about "remove the AD object you just created" instruction is unclear, please elaborate. All I am finding in my AD after following these steps is the "CN=Activation Object" clearly I don't want to delete this object, or do I? < See it's confusing.


Occasional Visitor



When I add my Window 10 Activation key on VAT, it's shown like this below error.Untitled.png

Occasional Visitor

Two questions on the article.


I just realized we have two servers with the Active Directory Deployment/VA Services installed.  Is that an issue?  (We spun up a new 2019 server not realizing we had already switched from KMS to AD).


We have our 2019 KMS Key installed.  Am I correct that Windows 10 will be activated by that key as well?

Version history
Last update:
‎Feb 10 2020 03:17 PM
Updated by: