다음을 통해 공유


Deploying KMS Activation

On This Page

Configuring KMS Hosts
Configuring DNS
Installing KMS Hosts
Configuring KMS Clients

KMS activation works with minimal administrative intervention. If the network environment has Dynamic Domain Name System (DDNS) and allows computers to publish services automatically, deploying a KMS host can require very little effort. If the organization has more than one KMS host or the network does not support DDNS , additional configuration tasks may be necessary.

Warning   Some procedures in this section require changing the registry. Problems can occur if the registry is modified incorrectly by using Registry Editor or another method, and these problems might require reinstalling the operating system. Microsoft cannot guarantee that these problems can be resolved. You modify the registry at your own risk.

The remainder of this section describes the following key tasks:

  • Configuring KMS hosts

  • Configuring DNS

  • Installing KMS hosts

  • Configuring KMS clients

Configuring KMS Hosts

Software License Manager, sometimes referred to as SL Manager (Slmgr.vbs), is a script used to configure and retrieve Volume Activation information. The script can be run locally on the target computer or remotely from another computer, but it should be run from an elevated command prompt. If a standard user runs Slmgr.vbs, some license data may be missing or incorrect, and many operations are prohibited.

Slmgr.vbs can use Wscript.exe or Cscript.exe, and you can specify which script engine to use. If no script engine is specified, Slmgr.vbs runs using the default script engine, Wscript.exe.

Note   KMS requires a firewall exception on the KMS host. If using the default TCP port, enable the KMS Traffic exception in Windows Firewall. If using a different firewall, open TCP port 1688. If using a non-default port, open the custom TCP port in the firewall.

The Software Licensing Service must be restarted for any changes to take effect. To restart the Software Licensing Service, use the Microsoft Management Console (MMC) Services snap-in, or run the following command at an elevated command prompt:

net stop sppsvc && net start sppsvc

Slmgr.vbs requires at least one parameter. If the script is run with no parameters, it displays help information. Table 3 lists Slmgr.vbs command-line options along with a description of each. Most of the parameters in Table 3 configure the KMS host. However, the parameters /sai and /sri are passed to KMS clients after they make contact with the host. The general syntax of Slmgr.vbs is as follows:

slmgr.vbs /parameter

Table 3. Slmgr.vbs Parameters

Parameter

Description

/sprt PortNumber

Sets the TCP communications port on a KMS host. Replace PortNumber with the TCP port number to use. The default setting is 1688.

/cdns

Disables automatic DNS publishing by a KMS host.

/sdns

Enables automatic DNS publishing by the KMS host.

/cpri

Lowers the priority of KMS host processes.

/spri

Sets the priority of KMS host processes to Normal.

/sai ActivationInterval

Changes how often a KMS client attempts to activate itself when it cannot find a KMS host. Replace ActivationInterval with a number of minutes. The default setting is 120.

/sri RenewalInterval

Changes how often a KMS client attempts to renew its activation by contacting a KMS host. Replace RenewalInterval with a number of minutes. The default setting is 10080 (7 days). This setting overrides the local KMS client settings.

/dli

Retrieves the current KMS activation count from the KMS host.

Running Slmgr.vbs Remotely

To run Slmgr.vbs remotely, administrators must supply additional parameters. They must include the computer name of the target computer as well as a user name and password of a user account that has local administrator rights on the target computer. If run remotely without a specified user name and password, the script uses the credentials of the user running the script.

The following syntax shows the additional parameters needed to run Slmgr.vbs remotely:

slmgr.vbs TargetComputerName [username] [password] /parameter [options]

Configuring Windows Firewall for Remote Software License Manager Operations

Slmgr.vbs uses Windows Management Instrumentation (WMI), so administrators must configure Windows Firewall to allow WMI traffic:

  • For a single subnet, allow the Windows Management Instrumentation (WMI) exception in Windows Firewall.

  • To allow WMI traffic across multiple subnets, allow the connection for Windows Management Instrumentation (ASync-In), Windows Management Instrumentation (DCOM-In), and Windows Management Instrumentation (WMI-In). Additionally, allow remote access in the scope. Configure these settings by using Windows Firewall with Advanced Security, which is the Administrative Tools folder.

Note   By default, Windows Firewall exceptions in the Private and Public profiles only apply exceptions to traffic originating on the local subnet. To expand the exception so that it applies to multiple subnets, change the exception settings in Windows Firewall with Advanced Security or, if joined to an AD DS domain , choose the Domain profile.

Remote Operations Targeting Workgroup Computers

Administrators can allow Slmgr.vbs to run remotely against computers that belong to a workgroup. To do so, create the DWORD value LocalAccountTokenFilterPolicy in registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System on KMS clients. Set this value to 0x01.

Configuring DNS

The following sections describe concepts for configuring DNS to work with Volume Activation:

  • If more than one KMS host is used, see the section, “Changing the Default DNS Permissions for SRV Records.”

  • To enable KMS clients using different DNS servers to find KMS hosts, see the section, “Publishing to Multiple DNS Domains.”

  • To manually add SRV resource records for KMS hosts, see the sections, “Manually Creating SRV Records in DNS,” “Manually Creating SRV Records in a BIND 8.2 or Higher DNS Server,” and “Disabling Publishing of KMS SRV Records to DNS.”

Note   DNS changes may not be reflected until all DNS servers have been replicated.

Changing the Default DNS Permissions for SRV Records

If you are using only one KMS host, you might not need to configure permissions in DNS. The default behavior is to allow a computer to create an SRV RR, and then update it. However, if you have more than one KMS host (the usual case), the other hosts will be unable to update the SRV RR unless SRV default permissions are changed.

The following high-level procedure is an example from Microsoft’s own environment. It does not give detailed steps, which might be different from one organization to another, and it is not the only way to achieve the desired result:

  1. Create a global security group in AD DS that will be used for your KMS hosts. An example is Key Management Service Group.

  2. Add each of your KMS hosts to this group. They must all be joined to the same domain.

  3. Once the first KMS host is created, it will create the original SRV record. If the first KMS host is unable to create the SRV resource record, it may be because your organization has changed the default permissions. In this case, manually create the SRV RR as the section, “Manually Create SRV Records in DNS,” describes.

  4. Set the permissions for the SRV group to allow updates by members of the Global Security group.

Note   A domain administrator can delegate the ability to carry out the preceding steps to administrators in the organization. To do so, create a security group in AD DS, give that group permission to change the SRV records, and then add the delegates.

Publishing to Multiple DNS Domains

By default, the KMS host is registered only in the DNS domain to which the host belongs. If the network environment has only one DNS domain, no further action is required.

If there is more than one DNS domain name, you can create a list of DNS domains for a KMS host to use when publishing its SRV RR. Setting this registry value suspends the KMS host’s default behavior of publishing only in the domain specified as the Primary DNS Suffix.

Optionally, add priority and weight parameters to the DnsDomainPublishList registry value for KMS. This feature enables you to establish KMS host priority groupings and weighting within each group to define which KMS host to try first and balance traffic among multiple KMS hosts.

Note   DNS changes might not be reflected until all DNS servers have been replicated. Changes made too frequently (time < replication time) can leave older records if the change is performed on a server that has not been replicated.

To automatically publish KMS in multiple DNS domains, add each DNS domain suffix to whichever KMS should publish to the multi-string registry value DnsDomainPublishList in registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform. After changing the value , restart the Software Licensing Service to create the SRV RRs.

Note   This key has changed from the Windows Vista location of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL.

After configuring a KMS host to publish to multiple domains, export the registry subkey, and then import it in to the registry on additional KMS hosts. To verify that this procedure was successful, check the Application event log on each KMS host. Event ID 12294 indicates that the KMS host successfully created the SRV RRs. Event ID 12293 indicates that the attempt to create the SRV RRs was unsuccessful. For a complete list of error codes, see the Volume Activation 2.0 Operations Guide at https://technet.microsoft.com/en-us/library/cc303695.aspx.

Manually Creating SRV Records in DNS

If the environment does not support DDNS, the SRV RRs must be manually created to publish the KMS host. Environments that do not support DDNS should disable publishing on all KMS hosts to prevent event logs from collecting failed DNS publishing events. To disable auto-publishing, use the Slmgr.vbs script with the /cdns command-line option. See the section, “Configuring KMS Hosts,” for more information about the Slmgr.vbs script.

Note   Manually created SRV RRs can coexist with SRV RRs that KMS hosts automatically publish in other domains as long as all records are maintained to prevent conflicts.

Using DNS Manager, in the appropriate forwarding lookup zone, create a new SRV RR using the appropriate information for the location. By default, KMS listens on TCP port 1688, and the service is _VLMCS. Table 4 contains example settings for a SRV RR.

Table 4. SRV Resource Record

Name

Setting

Service

_VLMCS

Protocol

_TCP

Port number

1688

Host offering the service

Fully qualified domain name (FQDN) of the KMS host

Manually Creating SRV Records in a BIND 8.2 or Higher DNS Server

If the organization uses a non-Microsoft DNS server, the needed SRV RRs can be created as long as the DNS server is compliant with BIND 8.2 or later. When creating the record, include the information shown in Table 5. The Priority and Weight settings shown in Table 5 are only used by Windows 7 and Windows Server 2008 R2.

Table 5. SRV RR Information

Name

Setting

Name

_vlmcs._tcp

Type

SRV

Priority

0

Weight

0

Port

1688

Hostname

FQDN of the KMS host

To configure a BIND 8.2 or later DNS server to support KMS auto-publishing, configure the BIND server to enable RR updates from KMS hosts. For example , add the following line to the zone definition in named.conf:

allow-update { any; };

Note   You can also add an allow-update statement in named.conf.options to allow DDNS for all zones hosted on this server.

Disabling Publishing of KMS SRV Records to DNS

KMS hosts automatically publish their existence by creating SRV RRs in DNS. To disable automatic DNS publishing by a KMS host, use the Slmgr.vbs script with the /cdns command-line option.

Using the Slmgr.vbs script to disable automatic DNS publishing is preferred, but you can also perform this task by creating a new DWORD value called DisableDnsPublishing in the registry and setting its value to 1. This value is in registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform. To re-enable the default behavior for publishing of KMS SRV records to DNS, set the value to 0.

Installing KMS Hosts

To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services. Computers running Windows 7 or Windows Server 2008 R2 can both serve as KMS hosts.

Windows Vista, Windows Server 2003, and Windows Server 2008 can also serve as KMS hosts. The KMS clients that a KMS host can activate depends on the host key used to activate the KMS host. For more information about KMS host keys, see the Volume Activation 2.0 Planning Guide at https://technet.microsoft.com/en-us/library/cc303276.aspx.

Install and activate a KMS key on a Windows 7 or Windows Server 2008 R2 computer by using an elevated command prompt:

  • To install a KMS key, type slmgr.vbs /ipk KmsKey at a command prompt.

  • To active online, type slmgr.vbs /ato at a command prompt.

  • To activate by using the telephone, type slui.exe 4 at a command prompt.

After activating the KMS key, restart the Software Licensing Service.

Windows 7 and Windows Server 2008 R2 display the warning shown in Figure 2 any time you install a KMS host key using the user interface (UI). (Users will not see this warning if they install a KMS host key by using the Slmgr.vbs script.) This message prevents accidentally installing a KMS key on computers that administrators do not intend to be KMS hosts.

The KMS key warning

Figure 2. The KMS key warning

To verify that the KMS host is configured correctly, check the KMS count to see whether it is increasing. In the Command Prompt window on the KMS host , type slmgr.vbs /dli to display the current KMS count. You can also check the Key Management Service log in the Applications and Services Logs folder for event ID 12290. The Key Management Service log records activation requests from KMS clients. Each event displays the name of the computer and the time stamp of each activation request.

Configuring KMS Clients

This section describes concepts for installing and configuring computers as KMS clients. By default, Volume Licensing editions of Windows Vista, Windows 7 , Windows Server 2008, and Windows Server 2008 R2 are KMS clients. If the computers the organization wants to activate using KMS are using any of these operating systems and the network allows DNS auto-discovery, no further configuration is needed.

If a KMS client is configured to search for a KMS host using DNS but does not receive SRV records from DNS, Windows 7 and Windows Server 2008 R2 log the error in the event log.

Manually Specifying a KMS Host

You can manually assign a KMS host to KMS clients by using KMS host caching. Manually assigning a KMS host disables auto-discovery of KMS on the KMS client. Manually assign a KMS host to a KMS client by running:

slmgr.vbs /skms <value>:<port>

where value is either the KMS_FQDN, *IPv4Address, *or NetbiosName of the KMS host and port is the TCP port on the KMS host.

Enabling Auto-discovery for a KMS Client

By default, KMS clients automatically attempt to discover KMS hosts. You can disable auto-discovery by manually assigning a KMS host to a KMS client. This action also clears the KMS host name from the KMS client’s cache. If auto-discovery is disabled, you can re-enable it by running slmgr.vbs /ckms at a command prompt.

Adding Suffixed Entries to KMS Clients

By adding the address of a DNS server containing the SRV RR as a suffixed entry on KMS clients, you can advertise KMS hosts on one DNS server and allow KMS clients with other primary DNS servers to find it. For more information about configuring a domain suffix search list on KMS clients, see the Microsoft Help and Support article, “How to configure a domain suffix search list on the Domain Name System clients,” at https://support.microsoft.com/kb/275553.

Deploying KMS Clients

The information in this section is for Volume Licensing customers using the Windows Automated Installation Kit (Windows AIK) to deploy and activate a Windows operating system. Prepare KMS clients for deployment by using the System Preparation Tool (Sysprep) or the Slmgr.vbs script:

  • Sysprep. Before capturing an image, run Sysprep with the /generalize command-line option to reset the activation timer, security identifier (SID), and other important settings. Resetting the activation timer prevents the image’s grace period from expiring before the image is deployed. Running Sysprep.exe does not remove the installed product key, and you are not prompted for a new key during mini-setup. If no rearms are left, the Sysprep operation finishes, but the activation timers are not changed and an error is returned that explains the situation.

  • Slmgr.vbs. When building demo virtual machines for internal use (for example, building virtual machines for the organization’s sales department or to set up a temporary training environment), running the Slmgr.vbs script with the /rearm command-line option extends the grace period another 30 days, which in turn resets the activation timer but makes no other changes to the computer. The activation timer can be reset three times for computers running Windows 7 or Windows Server 2008 R2.

Manually Activating a KMS Client

By default, KMS clients automatically attempt to activate themselves at preset intervals. To manually activate KMS clients (for example, disconnected clients) before distributing them to users, use the Control Panel System item, or run slmgr.vbs /ato at an elevated command prompt. The Slmgr.vbs script reports activation success or failure and provides a result code. To perform activation, the KMS client must have access to a KMS host on the organization’s network.

Converting MAK Clients to KMS and KMS Clients to MAK

By default, Windows 7 and Windows Server 2008 R2 operating systems use KMS for activation. To change existing KMS clients to Multiple Access Key (MAK) clients , simply install a MAK. Similarly, to change MAK clients to KMS clients, run:

slmgr.vbs /ipk <KmsSetupKey>

where KmsSetupKey is one of the setup keys shown in Table 6. After installing the KMS setup key, activate the KMS client by running cscript slmgr.vbs /ato.

Table 6. KMS Client Setup Keys

Operating system edition

Product key

Windows 7

Windows 7 Professional

FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4

Windows 7 Professional N

MRPKT-YTG23-K7D7T-X2JMM-QY7MG

Windows 7 Enterprise

33PXH-7Y6KF-2VJC9-XBBR8-HVTHH

Windows 7 Enterprise N

YDRBP-3D83W-TY26F-D46B2-XCKRJ

Windows Server 2008 R2

Windows Server 2008 R2 HPC Edition

FKJQ8-TMCVP-FRMR7-4WR42-3JCD7

Windows Server 2008 R2 Datacenter

74YFP-3QFB3-KQT8W-PMXWJ-7M648

Windows Server 2008 R2 Enterprise

489J6-VHDMP-X63PK-3K798-CPX3Y

Windows Server 2008 R2 for Itanium-Based Systems

GT63C-RJFQ3-4GMB6-BRFB9-CB83V

Windows Server 2008 R2 Standard

YC6KT-GKW9T-YTKYR-T4X34-R7VHC

Windows Web Server 2008 R2

6TPJF-RBVHG-WBW2R-86QPH-6RTM4

Converting Retail Editions to Volume Activation

Retail editions of Windows 7 Professional and Windows Server 2008 R2 can be converted to KMS clients, provided that the organization has acquired the appropriate volume licenses and conforms to the Product Use Rights. To convert Windows 7 Professional and all editions of Windows Server 2008 R2 from retail to a KMS client , skip the Product Key page during operating system installation. When installation is complete, open an elevated Command Prompt window and type:

Slmgr.vbs /ipk <SetupKey>

where SetupKey is the KMS client setup key from Table 6 that corresponds to the edition of Windows 7 or Windows Server 2008 R2.