How to use KMS server across Active Directory Forests

Recently I made a slight career change and also with it came a small challenge. We were given 2 Active Directory Forests, one was actively being used and the other one had very few users, but was going to get much larger very quick. People were also deploying Windows 7, Windows 2008 R2 and Office 2010. All of these products canuse KMS license keys, which basically means you have one Key Management Service Server in your organization to which all Windows and other MS products refer to for validating their license periodically. That server must have a valid Windows License, which gets activated to the Internet, then you just enable that server as a KMS host Server. Enough with the background, you can read more about deploying a KMS server here.

Now back to the problem at hand. Since the 2 organizations to whom the 2 forests belonged to had pretty loose security requirements, we wanted to save us the hassle of creating and managing a second KMS server, and just using the KMS server we had available. KMS is also not so restrictive when it comes to accepting license validation requests.

KMS clients have 2 ways in which they determine where the KMS service is located (i will use contoso.com as the “main” forest for this example):

  • Specify it manually using a built in windows command line script. For example to specify the kms.contoso.com server for a machine just run from administrator command prompt this command:
cscript %windir%\system32\slmgr.vbs /skms kms.contoso.com:1688
  • Windows uses DNS to determine the KMS servers (pretty much like Windows does to determine which servers offer AD Authentication). When KMS host is installed in creates an SRV record in the DNS in _.tcp.contoso.com. This record looks like this:

ServiceName: _vlmcs

Port: 1688 (default)

Host offering the service: kms.contoso.com

The Final srv record looks like this: _vlmcs._tcp.contoso.com

As you can see there is not so much rocket science in the way a KMS host is published in DNS. Also there is no requirement that the computer trying to validate a license against KMS be joined to a domain. All the computer needs does is a srv DNS query to determine where the KMS licensing host is. Based on this information it talks to KMS and validates the licenses.

So to make sure computers in forest rivnet.org, for example, can find KMS in DNS do following:

1. Create a new A Record for the IP address of the KMS server kms.contoso.com, in rivnet.org DNS, for example kms.rivnet.org

2. Create a new SRV Type record in _tcp.rivnet.org DNS, with following details

ServiceName: _vlmcs

Port: 1688 (default)

Host offering the service: kms.rivnet.org

The Final srv record looks like this: _vlmcs._tcp.rivnet.org

You can do all this by using dnscmd (available in Windows7/2008) run this command:

dnscmd <DNSServerName> /RecordAdd <ZoneName> _vlmcs._tcp SRV 0 100 1688 <HOST-Offering-Service>

3. Test from a client computer that the SRV record is available in DNS, by running this on a command prompt:

nslookup -type=srv _vlmcs._tcp.rivnet.org

You should get an output that points to the DNS record you created in step 1.

4. Test the client computer can validate his license to the KMS host by running this command from an elevated command prompt:

cscript %windir%\system32\slmgr.vbs /ato

cscript %windir%\system32\slmgr.vbs /dli

There should be a line like this:

KMS machine name from DNS: kms.rivnet.org:1688

And that’s it with using KMS from any other forest in your own AD. In short:

1. Add Host record for KMS host

2. Add SRV record for KMS host

3. Attempt activation, verify activation was done using KMS host.