How to remove a KMS Server from your infrastructure

These days I took a swing at some clean-up I had to do in our KMS servers list. In any large environment you are bound to find some configurations you either did not put in place (there is usually more than 1 person managing it) or put in place for testing and forgot to remove them. I’m mainly referring to KMS servers that may have once been used to activate Windows licenses, or people have attempted to set them up that way (but failed for one or more reasons). You might have this problem too in your environment, and not know about it. Usually any “rogue” or unauthorized KMS servers also publish their KMS service in DNS. This means that when a client tries to activate it will pick one of the servers that offer the _VLMCS service (license activation) in the _TCP node of the DNS suffixes he has configured or his own domain name. By default all KMS hosts publish their Service Record with equal priority and weight, so with few KMS hosts, there’s a high chance you will get sent to the wrong/rogue KMS. If the client picks the correct KMS host, all is well with the world, if not, they get an error and you get an unneeded support call that users can’t activate their Windows.

To fix this you should first find the rogue KMS hosts. Since the information is published in your DNS, this nslookup query should reveal your servers:

nslookup -q=srv _vlmcs._tcp.contoso.com

Run this for all your subdomain’s fqdn to list all servers. A sample output would be this:

Server: dc1.contoso.com
Address: 192.100.5.10

_vlmcs._tcp.contoso.com SRV service location:
 priority = 0
 weight = 0
 port = 1688
 svr hostname = KMS01.contoso.com
_vlmcs._tcp.contoso.com SRV service location:
 priority = 0
 weight = 0
 port = 1688
 svr hostname = John-Desktop.contoso.com
KMS01.contoso.com internet address = 192.41.5.4
John-Desktop.contoso.com internet address = 192.20.50.20

As you see, we have 2 KMS host entries, one seems valid, the other looks like someone attempted to activate his PC the wrong way and ended up publishing KMS service records in DNS. Here’s how to remove this, for good. Some of the steps are taken from technet documentation, some are from social.technet site.

  •  Login/RDP/PSEXEC to the affected host (John-Desktop) and uninstall KMS product key. To do this, run this from an elevated command prompt:
cscript %windir%\system32\slmgr.vbs /upk
  • Install the default KMS client key, found here:
cscript %windir%\system32\slmgr.vbs /IPK [KMS client Setup Key]"
  • Activate the computer as a client using the command below. In our case it would go to the KMS01.constoso.com host
cscript %windir%\system32\slmgr.vbs /ato"
  • Now you should stop this record from being published in DNS. You guessed it, just because you uninstalled the KMS host key and put in the client Key doesn’t mean he stopped advertising KMS in DNS. If you are running Windows 2008 R2, slmgr.vbs has  a switch which does this for you:
cscript %windir%\system32\slmgr.vbs /cdns"

Important Note: If you are running Windows 2008 not Windows 2008 R2 there is no /cdns switch. Also you cannot run slmgr.vbs from a 2008 R2 box over the 2008 machine with that switch, it will say the something like this:


Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

The remote machine does not support this version of SLMgr.vbs

This is also a good “failsafe” command in case the /cdns switch didn’t work for Windows 2008 R2. Changing this registry key worked for me, other people suggested other fixes (here) but along the same lines, I didn’t test them. You need to run this command from an elevated command prompt:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL" /v DisableDnsPublishing /t REG_DWORD /d 1
  • Stop and Start the Software Licensing Service:
net stop SLSVC

net start SLSVC

Update: If running Windows 2008 R2 you should look at restarting Software Protection Service

net stop "Software Protection"

net start "Software Protection"
  • Remove the _vlmcs KMS service record for John-Desktop from the contoso.com _tcp node. You can do this via dnsmgmt.msc console

That’s about it, Hope someone finds this one useful. Any comments are welcome.


Print pagePDF pageEmail page
Tagged , , . Bookmark the permalink.

20 Responses to How to remove a KMS Server from your infrastructure

  1. Mario says:

    This was a VERY useful article. I had this issue on two 2008 domain controllers and they kept coming back after converting them to KMS clients. I saw the “/cdns” switch, but didn’t know why it wasn’t working. Thanks so much for the extra info and the registry solution.

  2. Pingback: Help please!! KMS Server not available

  3. Andrew Duffin says:

    SLSVC doesn’t exist in 2008R2.

    I think you need to restart Software Protection instead.

  4. Keith says:

    The DisableDnsPublishing Registry entry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL didn’t work for me but it did when I put it under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform this is on Windows 2008 R2 SP1
    Thanks for the article

    • Ionut Nica says:

      Hi

      For Windows 2008 R2, running cscript %windir%\system32\slmgr.vbs /ckms or /cdns should do the trick on its own. This doesn’t work on Windows 2008, so I had to dig up the registry entry…
      Didn’t /ckms work for you in the first place?

      Ionut

  5. Tomas says:

    Well done, worked like a charm. Thanks.

  6. NXU says:

    Hi,

    Very useful information and many thanks. We had a few offending machines advertising themsleves as KMS hosts. This articel helped us to lcate them and remove the service. The url for default kms key doesn’t work BTW.

    Thanks
    NXU

  7. Dany Demers says:

    Very usefull article, you should point to the most recent version of the MS article for the KMS client key

    http://technet.microsoft.com/en-us/library/jj612867.aspx

  8. Dany Demers says:

    Also for the other client computer who were pointing to the rogue KMS server you can use this command to clear the product key from the registry so client check the DNS for the most up to date information: slmgr /cpky

  9. Andy says:

    Curious about clients that have cached the wrong record, are they smart enough to query DNS again after the KMS has been removed from the server or are they going to start having license failures?

    • Ionut Nica says:

      If clients have cached a wrong/expired record and that record does not respond to activation requests, it will automatically rediscover the location of the service. I’m guessing this happens every 2 hours by default (KMS tries to activate every 2 hours) or the value you set it to.

  10. Feders says:

    I’m trying to uninstall the Volume activation role from a Win 2012 server without succeed. Any hints?

    • Ionut Nica says:

      Is there any error you are getting?
      Are you trying to uninstall via GUI or some other method, like powershell command?
      Any hints to the error in event viewer?

  11. Andrea Lockheart says:

    Morning,

    Thank you for your article.

    I have a question for you. We’ve noticed that our primary DC is a KMS server and want it removed. We plan to follow your steps but will be replacing the KMS key with a MAK key.

    Are there any undesirable affects with switching the key to a MAK on a domain controller, especially since it’s the primary?

    Kindly advise.

    Regards,
    A

    • Ionut Nica says:

      Hi,

      As far as I remember MAK keys work fine, when you switch to the MAK key, windows will want to go online and activate the MAK key, so internet access more or less unrestricted is required. Also Windows will probably want to do the same thing when you “drastically” change the hardware of the box, like adding a CPU or replacing the Motherboard. So ensure you have that, and you should be fine.
      Also, don’t be scared that DC is your primary DC…PDC emulator role can be moved (while you decomission the KMS role), it’s not set in stone (unless you have some special applications that requires connection to the PDC and the name of the PDC is hardcoded in the app, then yes, moving the PDC is not so easy to do).
      I’m not familiar with your reasons behind wanting to move away from KMS, but I do agree, that you should try to keep your PDC to just run AD services and DNS, and nothing else.

  12. Andrea Lockheart says:

    OK Thank you so much for your prompt answer.

  13. Xeiran says:

    Fantastic post, agree with Mario, *very* useful. Also had a KMS server who’s DNS entry kept coming back even though the service itself had been removed. \cdns didn’t work, but \ckms did the trick. Many thanks!