Configure KMS in an untrusted forest or workgroup
Sometimes you may come across a scenario where you want to use Windows KMS service to activate clients in a workgroup or in an untrusted forest. This could be a test / Dev environment where you have setup a new test forest and want to use the production KMS setup for activating clients in the test forest rather than installing a new KMS instance in test forest.
In this article we will look at configuring KMS service for an untrusted forest and for clients in a workgroup. This process doesn’t require any changes on the existing KMS server configuration, all changes we need to make are either in the target forest or on the workgroup clients.
In case you are new to KMS, you can refer to this TechNet article to know more about KMS - https://technet.microsoft.com/en-us/library/ff793434.aspx
Before we look into the steps to configure KMS in a different forest or workgroup, lets looks at some important KMS concepts:
KMS Activation
KMS activation requires TCP/IP connectivity. By default, KMS hosts and client computers use DNS to publish and find the KMS service. The default settings can be used, which require little to no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. So as mentioned when you install the KMS server in an AD domain, it publishes its SRV record in the Active Directory forest and no manual configuration is needed. As long as clients have KMS keys installed they will discover KMS service in the domain and get activated. If DNS dynamic update is not available or the KMS host does not have rights to publish the RRs, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
NOTE: In this scenario, as we are configuring clients in a different forest we need to manually configure the clients to point to the KMS server. This can be done either by configuring the KMS server on each of the client using Slmgr.vbs command or creating a SRV record for KMS service in the test forest. Obviously we need the KMS port opened between the client and the KMS server ( default 1688 or any other custom port configured for KMS in your environment .
Client Discovery of the KMS Service
By default, KMS clients query DNS for KMS service information. The first time a KMS client queries DNS for KMS service information, it randomly chooses a KMS host from the list of SRV RRs that DNS returns.
KMS Activation Renewal
KMS activations are valid for 180 days—the activation validity interval. To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails , the client will retry every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
- Configure clients in a Workgroup : Use this option if you want to activate clients in a workgroup and you have handful of clients to activate. You can run these commands manually or can create a batch file if you have more clients to configure.
Use slmgr.vbs /skms command to configure the KMS server FQDN / IP address on each of the clients.
( Run these commands from elevated command prompt )
slmgr.vbs /skms <KMS server>:<port>
User slmgr.vbs /ato command to manually activate the client
slmgr.vbs /ato
Note : By default clients running Volume license edition of Windows are KMS clients and you don't need to install the KMS client key. If you have MAK or retail edition of Windows client, you can convert that to a KMS client by installing the GVLK key using command slbhr.vbs /ipk as shown above. More details here - https://technet.microsoft.com/en-us/library/jj612867.aspx
2. Creating SRV record for the KMS host in an untrusted forest
Another option is to create an SRV resource record for the KMS service in untrusted forest that points to KMS server in a different forest.
Using DNS Manager, in the appropriate forwarding lookup zone, create a new SRV RR using the appropriate information for the location. By default, KMS listens on TCP port 1688, and the service is _VLMCS. Table below contains example settings for a SRV RR.
Table . SRV Resource Record
Name |
Setting |
Service |
_VLMCS |
Protocol |
_TCP |
Port number |
1688 |
Host offering the service |
Fully qualified domain name (FQDN) of the KMS host |
NOTE: As you are creating this SRV record in a different forest, you first need to create an A record that points to the KMS server. Once the A record is created you can configure the SRV record.
Once the SRV RR is configured, KMS clients will discover the KMS service using DNS and will send request for activation to the KMS server.