Using Key Management Services (KMS) Across Domains


In some environments it may be necessary to implement Key Management Services (KMS) activation across domains. An example of this can be illustrated by the requirements of a recent project that I was working on.

The customer in question is in the process of consolidating a number of legacy domains into a new pristine AD domain - trust relationships exist between the domains. This migration will take a considerable amount of time given both the size of the customer's infrastructure and the requirement to consolidate / migrate complex back office systems and applications.

Concurrently, a large scale Vista deployment project is also underway aimed at base-lining the client infrastructure on a common desktop. Where possible and for the most part newly deployed Vista clients are being deployed into the new domain however, due to reliance on and access to critical back office applications which still reside in the legacy domains, there is also a requirement to redeploy some Vista clients back to their legacy domains.

Bearing these requirements in mind, it was still desirable to configure a single domain for KMS activation - preferably the new domain - given that over time the legacy domains will be decommissioned. Thus configuring KMS activation across domains becomes the logical choice.

Network considerations - by default the client computers connect to the KMS host for activation using anonymous Remote Procedure Calls over TCP, using TCP port 1688. So you will need to ensure that this port is opened in the firewall configurations between the remote sites. Note - this port number can be changed.

DNS SRV records - by default and when dynamic DNS (DDNS) is supported in the environment,  KMS hosts automatically publish their existence by creating service (SRV) resource records in the DNS server and only the DNS domain that the KMS host belongs to is registered in an SRV record.

So if you have only one DNS domain in your network environment, no further action is required.

But if you have more than one DNS domain name, as it is with this customer's legacy domains, you can create a list of DNS domains for a KMS host to use when publishing its SRV record.  This can be done by setting a specific registry value on the KMS host -

  1. Log on to a KMS host.
  2. Open an elevated command prompt. To do this, click Start , click All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator.
  3. At the command prompt, type Regedit.exe and then press Enter.
  4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL.
  5. In the tree pane, click SL. Right-click in the details pane, point to New, and then click Multi-String Value.
  6. Type DnsDomainPublishList as the name for the new value, and then press Enter.
  7. Right-click the new DnsDomainPublishList value, and then click Modify.
  8. In the Edit Multi-String dialog box, type each DNS domain suffix that KMS should publish to on a separate line. When you are finished, click OK.
  9. Restart the Software Licensing Service using the Service application. The SRV records are then created.

However, if DDNS is not supported in the different DNS environments, or if you want to have a manual control of the KMS publishing, an administrator can also create manually the SRV record that publishes the availability of a KMS host. Manually created SRV records can coexist with SRV records that are auto-published by KMS hosts in other domains as long as all records are maintained to prevent conflicts. Here is the procedure in order to create the SRV record in the legacy DNS domains that publishes the availability of a remote KMS host -

  1. On the DNS server, open DNS Manager. To open DNS Manager, click Start, click Administrative Tools, and then click DNS.
  2. Click the DNS server on which you need to create the SRV resource record.
  3. In the console tree, expand Forward Lookup Zones, right-click the domain, and then click Other New Records.
  4. Scroll down the list, click Service Location (SRV), and then click Create Record.
  5. Type the following information:
    1. Service: _VLMCS
    2. Protocol: _TCP
    3. Port number: 1688
    4. Host offering the service:<FQDN_of_KMS_Host>
  6. When you are finished, click OK, and then click Done.
Comments (8)
  1. Anonymous says:

    No “SL” registry entry and no “service licensing service” on my 2008 R2 box.

  2. Anonymous says:

    In my 2012 kms box I made those changes in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSoftwareProtectionPlatformDnsDomainPublishList

  3. Blog Management Services says:

    very nice and Informative thanks for sharing

    <a href="frequenweb.com/blog-management.html">Blog Management Services</a>

  4. blog management servies says:

    DNS SRV record in that explained was marvelous. Thanks for given a awesome information to  <a href="http://www.frequenweb.com/">blog management services</a>    .

  5. YoloHead says:

    Same here, i do not have a SL Key in my registry or a Software Licensing Service under services. Any suggestions? This is a Win2k8 R2 Box.

  6. Anonymous says:

    Using Key Management Services (KMS) Across Domains – mcs.ireland.blog/infrastructure – Site Home – TechNet Blogs

  7. Rashid Amin says:

    I had to do the same as Ozz. lol

Comments are closed.

Skip to main content