The Microsoft Key Management Server (KMS) is part of the Microsoft Volume Activation 2.0 solution managing Windows OS activation keys and performs activation for supported clients automatically. Starting with Windows Server 2008 & Windows Vista, Microsoft switched to an online activation system where every Windows OS requires activation. KMS shifts the activation requirement to a single machine which is activated with a special KMS Host (server) key. Every KMS supported Windows version automatically communicates with the KMS server to activate Windows and manage the activation key (configuring the Windows OS with a KMS key forces it to find a KMS Host and get activation from it).
KMS supported clients include Windows Server 2008, Windows Server 2008 R2, Windows Vista, & Windows 7.
The KMS client discovers the KMS server by performing a DNS query for the KMS SRV record in DNS.
DNS: Standard query SRV _vlmcs._tcp.adsecurity.org
DNS: standard query response SRV 0 100 1688 kms.adsecurity.org (addr 10.10.10.11)
The DNS query response includes the KMS server hostname and port number (1688).
The KMS client then initializes a connection to port 1688 on the KMS server.
By default, a Windows installation’s license is configured with a grace period of 30 days plus 2 “rearms” (slmgr.vbs /rearm) for a total of 90 days to activate. Once activated by KMS, the KMS client communicates with the KMS server every 7 days to renew its activation as well as resetting the license counter to 0.
If the Windows license isn’t re-activated by a KMS server within 180 days (6 months), it shifts into a 30 day grace period after which it enters reduced functionality mode (retail only) or notification mode (where the user is notified regularly to re-activate) and continues to attempt a KMS connection every 2 hours until activated.
- KMS doesn’t activate Windows workstations until at least 25 different Windows workstations have connected to KMS.
- Also, KMS doesn’t activate Windows servers until at least 5 different Windows servers have connected to KMS.
- Running slmgr.vbs /dli on the KMS Host provides the KMS activation count (a count of -1 means no clients have been activated).
- Microsoft Office products are activated with a special KMS version & license key specific to Office.
- Apparently the KMS Host in Windows 2008 prior to SP2 (and Windows 2008 R2) didn’t update the activated client count when activating virtual machines. Windows 2008 SP2 (and later) now updates the KMS count regardless of machine type, virtual or physical.
KMS Server Installation
Installing the KMS Host (Server) on a machine is simply a product key that gets activated on the computer which initializes the Software Protection Service to listen on port 1688 for license activation requests. A multi-purpose enterprise server is the best candidate for KMS Host since the service is relatively lightweight. I don’t recommend configuring a Domain Controller as the KMS Server since a DC should only be providing Active Directory services (and DNS in most cases). This mitigates additional impact should a DC be taken down or reinstalled. The KMS Server can be installed on the same server as the DFS root name server and can also be virtualized (which may be ideal since High Availability can be easily enabled using VMWare HA).
A single KMS Server can handle the load of a large enterprise and it is not likely necessary to install a second (or more) KMS Server. Many organizations choose to install 2 KMS Hosts to ensure license activations continue with the loss of a single server. However, going through the KMS Host activation process on an isolated network (not directly connected to the internet) is a time-consuming process. For this reason, it is recommended to use a server for KMS that can be easily restored from backup without affecting other services (this way the KMS Host key is restored on the same hardware).
Installing a KMS sever on the network is relatively straight forward.
- Identify a server on the network and install the appropriate KMS key by running slmgr.vbs /ipk <KmsKey> a Windows 2008 R2 server.
- Activate the KMS key on the KMS host by running slmgr.vbs /ato to activate online or run slui.exe 4 to activate by phone (for networks not connected to the internet).
- Restart the Software Protection Service by running restart-service sppsvc in an elevated PowerShell console (or net stop sppsvc && net start sppsvc if PowerShell is unavailable).
- Run slmgr.vbs /dli to get the KMS activated client count.
KMS Host installation performs a dynamic DNS update for a new SRV record (_VLMCS._TCP ) on port 1688. If the DNS server does not support dynamic DNS, the SRV record has to be manually created.
KMS SRV record:
Priority: 10 (default is 0)
Weight: 0 (default is 0)
Host offering the service: kms.adsecurity.org.
(enter FQDN with trailing “.”)
When configuring a second KMS server on the network, it is necessary to manually create the 2nd KMS SRV record in DNS. This is due to the original KMS sever owning the KMS SRV record that it dynamically created in DNS. Since the original KMS server owns the KMS SRV record, no other computer can update it. This is also why when replacing a KMS server, the new KMS server can’t update the existing KMS SRV DNS record.
KMS automatic DNS publishing can be disabled by running Slmgr.vbs /cdns.
The KMS Server only creates a KMS SRV record for its domain (Primary DNS Suffix). In order to configure the KMS Server to publish its KMS SRV DNS record to multiple domains:
To automatically publish KMS in multiple DNS domains, add each DNS domain suffix to whichever KMS should publish to the multi-string registry value DnsDomainPublishList in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform. After changing the value, restart the Software Licensing Service to create the SRV RRs.
KMS Host Key Types
The KMS Host key is directly related to the highest level OS used on the network, and there is a different KMS key series for Windows 2008 versus Windows 2008 R2.
A KMS key is used to activate only the KMS host with a Microsoft activation server. A KMS key can activate up to six KMS hosts with 10 activations per host. Each host can activate an unlimited number of computers. If you need to activate more than six KMS hosts, contact your Volume Licensing Service Center (http://go.microsoft.com/fwlink/p/?LinkId=184280), and state why you must increase the activation limit.
Windows Server 2008 R2 Standard edition is currently the highest product being deployed in the product grouping hierarchy (with Windows Server 2008 being below it and unable to activate Windows 2008 R2 servers). The associated KMS key for that product is the Windows Server 2008R2 _____ KMS _ key (where _________ is the Server edition type and _ is “A”, “B”, or “C” ).
- KMS C Key: Server Group C for Windows Server 2008 R2 (Editions: Datacenter & Itanium-based systems)
- KMS B Key: Server Group B for Windows Server 2008 R2 (Editions: Standard & Enterprise)
- KMS A Key: Server Group A for Windows Server 2008 R2 (Editions: Web Server & HPC Server)
- Win 7 KMS Key: Client VL for Windows 7 (Editions: Professional & Enterprise)
The KMS license groups are configured so that a KMS key can activate all products in its group as well as all groups below it.
- Server Group C can activate Groups C, B, A, and Client VL
- Server Group B can activate Groups, B, A, and Client VL
- Server Group A can activate Group A, and Client VL
KMS Client Configuration
On the client, run cscript slmgr.vbs –dlv to get the current Windows OS license status. By default, a KMS Client performs a DNS SRV query to locate a KMS server. If auto-discovery is disabled, run slmgr.vbs /ckms to re-enable. Activated clients need to communicate within 180 days (6 months) after which they enter a grace period.
Change a client’s activation key to a KMS client key by running slmgr.vbs /ipk <KmsSetupKey> and activate by running cscript slmgr.vbs /ato.
A DNS query for the SRV record identifies the KMS Server on a network:
nslookup -type=srv _vlmcs._tcp.adsecurity.org
(where adsecurity.org is the domain name)
KMS Client Setup Keys
|Windows 7 Professional
|Windows 7 Professional N
|Windows 7 Enterprise
|Windows 7 Enterprise N
|Windows 7 Enterprise E
|Windows Server 2008 R2
|Windows Server 2008 R2 HPC Edition
|Windows Server 2008 R2 Datacenter
|Windows Server 2008 R2 Enterprise
|Windows Server 2008 R2 for Itanium-Based Systems
|Windows Server 2008 R2 Standard
|Windows Web Server 2008 R2
||Sets the TCP communications port on a KMS host. Replace PortNumber with the TCP port number to use. The default setting is 1688.
||Disables automatic DNS publishing by a KMS host.
||Enables automatic DNS publishing by the KMS host.
||Lowers the priority of KMS host processes.
||Sets the priority of KMS host processes to Normal.
||Changes how often a KMS client attempts to activate itself when it cannot find a KMS host. Replace ActivationInterval with a number of minutes. The default setting is 120.
||Changes how often a KMS client attempts to renew its activation by contacting a KMS host. Replace RenewalInterval with a number of minutes. The default setting is 10080 (7 days). This setting overrides the local KMS client settings.
||Retrieves the current KMS activation count from the KMS host
Slmgr.vbs can be rum against a remote computer by using these additional parameters (omit username and password to use current credentials):
slmgr.vbs TargetComputerName [username] [password] /parameter [options]
KMS Part 2