Activating Microsoft Products This page covers product activation for Microsoft products. This page is intended for IT administrators on campus. Topics on this page. Microsoft has transitioned many of its products to its Volume Activation licensing system. The system includes two licensing options, the Key Management Service or KMS, and the Multiple Activation Key or MAK.
Generating a Client Certificate Request with req.exe. Represent optional keywords or in a command line description. The SafeNet KeySecure provides logs and statistics that enable you to monitor system health.
For most systems, especially those that will remain on campus or that will have regular access to the p172 network, KMS activation should be used. For systems located off-campus or those without regular access to the p172 network, use of a MAK for activation may be appropriate. See below or contact [email protected] if you need assistance in determining the best activation mechanism for your use case. UW-IT runs the University’s KMS server, mskms.cac.washington.edu.
Hi, I need to set up a KMS for Office 2013 activation in a new domain that should serve another domain/s in the same forest. The primary request is for Office only. I am sure that the next one will be for activating OSes. I started to collect blogs articles (there are tons). Have a clear one for setting up Office 2013 KMS (server and client parts).
The questions: 1. Could KMS set for Office accommodate OSes activations (didn't find clear answer on web). The primary goal now is to activate Office in different domain. I guess it will not be a big issue (with appropriate instructions). I saw similar scenario for OSes activation. Finally it is DNS config. What about Domains trust?
I am planning to first make the Office activation work in the same domain where KMS is placed. Then to move to primary request activation on different domain. Just want to be generally prepared. When you hit a wrong note its the next note that makes it good or bad. Miles Davis. Using DNS records for your KMS can save you lots of effort.
The KMSclient computers will attempt to auto-discover SRV records in DNS, so if you create (or allow the KMShost to auto-publish) those SRV records in DNS, the clients will auto-discover those vlmcs.tcp. Contoso.com SRV records and auto-activate to the KMShost. If you have several namespaces to service, you can configure the registry of the KMShost to auto-publish into multiple namespaces (that's what I do). Eg my KMShost is kmshost.corp.contoso.com, my kmshost auto-publishes to that namespace. KMSclients which also reside/default to that namespace (corp.contoso.com) will auto-discover via vlmcs.tcp.corp.contoso.com I also configure the same KMShost, via registry, to publish into additional namespaces: region1.corp.contoso.com, corp.fabrikam.com. This means that the KMShost creates additional SRV records: vlmcs.tcp.region1.corp.contoso.com & vlmcs.tcp.fabrikam.com.
In this way, KMSclient computers in the namespaces region1.corp.contoso.com & fabrikam.com, will successfully find their own SRV records which all refer to the same/single KMShost. If you don't allow DDNS (which is how the auto-publish works), you can create the SRV records yourself in the DNS, according to your scenario/requirements.
The advantage of publishing into DNS multiple namespaces, is that you don't have to configure the KMSclients to point to your KMShost, they just do it by default behaviour. Don doesn't work for MSFT, and they're probably glad about that;. But I would like to ask you do you keep your KMSs out of AD?
(I don't think so:) ). I keep out of domain some kiosks machines on remote sites but servers for sure are AD members, WSUS included. I guess you provided explanation for general understanding?
If there's an AD available, I use it, so, wherever possible I will domain-join a KMShost. This is of no benefit to the KMShost/service/clients itself, it's just the general benefit of having AD so that I can use a single username/password for accessing/managing the KMShost server for checking logs, patching Windows, GPO, security etc. Same reason why I domain-join WSUS (the service doesn't need it, but it makes my life as admin easier) Don doesn't work for MSFT, and they're probably glad about that;. I have a question about minimum activated clients. The new KMS would be installed in a new domain.
There are no client machines in this domain, only servers and to make it clean I don't want to use workstations from the production domain with existant KMS. For testing Office 2013 activation I will need 5+ activated machines in a new domain. I found some KMS client simulator topics on web, that I believe could be useful. If not I have to add at least 6 workstations to Domain that will be a bit time consuming. Could you suggest a KMS simulator? So, the 'KMSclient' does not have to be a 'Workstation' at all. A KMSclient, is simply a VL product which is configured with the GVLK product key.
![Kms Kms](http://www.port135.com/wp-content/uploads/2016/11/edge.png)
This includes all WinVista/Win7/Win8/Win8.1/Win10/WS2008/WS2008R2/WS2012/WS2012R2/OFF2010/OFF2013/OFF2016. And it will soon include WS2016 (when released to VL channel). KMS does have minimum client thresholds (5 for Office or 5 for WindowsServerOS or 25 for WindowsClientOS).
Note that if you do have a mixture of WindowsServerOS or WindowsClientOS, you can have any combination of those to reach the 5 or 25 minimum, eg 2.serverOS+3.clientOS=5minimum, so the serverOS minimum of 5 would be met (but not the client minimum of 25) I've never had the need for a KMShost emulator nor KMSclient emulator. I.may.
have seen the KMShost emulator used in classroom training situations;) VL products don't lose any functionality if they fall out of Activated status, there's only a couple of visual markers, so if a lack of minimum threshold is a temporary situation, don't even worry about it. Don doesn't work for MSFT, and they're probably glad about that;. I checked - KMS service role is installed. When lunched the console it started with configuration wizard. This make me feel like KMS was never configured on this host, just VAMT was used.
Unless that for each user profile KMS will start a config wizard (that I strongly doubt). Tomorrow I can talk to the guy who setup this machine. I want to create clean VM. No VAMT at all (at least until KMS will work properly).
I have 6 clean client computers with Office 2013 installed from corporate image. They are on the same physical network with Main production Domain and functioning KMS. These machines not yet added to domain. Main production domain has working KMS. Here is the scenario that I want to accomplish in order to test Office clients machines from fresh Office KMS host: 1. Install Fresh KMS with Office License Pack only (no OSes at this time). Add namespace of the domain that doesn't have KMS in it to the registry (it is the domain were KMS will be installed). Join 6 test pcs to the domain from step 2.
My goal that these 6 pcs will be activated from a NEW KMS. Is there a chance that these 6 pcs will be activated from Existing and working KMS in production domain? They are on the same routable LAN (vLans) but will be in a new domain. Is there a way to prevent activation of other machines from Existing KMS of production domain?
Should some exceptions be set on working KMS, like to force to activate just one domain's machines? I guess registry setting should be done for one domain. If I correctly understood your explanation above for setting namespaces in registry. WS2012 has a Volume Activation Tools wizard (this is not VAMT).
The VAT wizard allows you to configure a machine as KMShost or ADBA etc. A KMShost will issue activation to anything which requests activation (as long as the minimum threshold of 5 or 25 is met, and, the KMShost is configured to offer activation for that requesting product type). There is no way within KMS to limit nor control which requests are activated vs requests refused. To do so, you would need to firewall or some similar method. For the multiple namespace registry, this is a simple control of which namespace the KMShost will auto-publish into, effectively which namespaces would be able to perform auto-discovery of the KMShost.
If your KMShost resides in contoso.com and you auto-publish into contoso.com but don't auto-publish into fabrikam.com, then the computers in fabrikam.com cannot 'discover' the KMShost so those would not auto-activate to that KMShost. If you already have a KMShost in contoso.com, and you then create an additional KMShost in contoso.com, and if both KMShosts can auto-publish, the KMSclients will 'randomly' choose one of either KMShost and attempt activation. (in reality it's not really random but it depends upon your DNS implementation. You can control this with DNS record weighting etc) If you are wishing to perform some testing, you can temporarily stop the sppsvc on the old KMShost or temporarily use windows firewall to block the traffic (so the KMShost cannot receive/process the request packets) Don doesn't work for MSFT, and they're probably glad about that;. Using DNS records for your KMS can save you lots of effort. The KMSclient computers will attempt to auto-discover SRV records in DNS, so if you create (or allow the KMShost to auto-publish) those SRV records in DNS, the clients will auto-discover those vlmcs.tcp.
Contoso.com SRV records and auto-activate to the KMShost. If you have several namespaces to service, you can configure the registry of the KMShost to auto-publish into multiple namespaces (that's what I do). Eg my KMShost is kmshost.corp.contoso.com, my kmshost auto-publishes to that namespace. KMSclients which also reside/default to that namespace (corp.contoso.com) will auto-discover via vlmcs.tcp.corp.contoso.com I also configure the same KMShost, via registry, to publish into additional namespaces: region1.corp.contoso.com, corp.fabrikam.com. This means that the KMShost creates additional SRV records: vlmcs.tcp.region1.corp.contoso.com & vlmcs.tcp.fabrikam.com.
In this way, KMSclient computers in the namespaces region1.corp.contoso.com & fabrikam.com, will successfully find their own SRV records which all refer to the same/single KMShost. If you don't allow DDNS (which is how the auto-publish works), you can create the SRV records yourself in the DNS, according to your scenario/requirements. The advantage of publishing into DNS multiple namespaces, is that you don't have to configure the KMSclients to point to your KMShost, they just do it by default behaviour. Don doesn't work for MSFT, and they're probably glad about that;.
![Example Example](/uploads/1/2/5/3/125374900/153127373.png)
Don, thanks for 'super' answers separately. Let me ask some questions after the info you provided. KMS doesn't have to be a domain-joined machine at all.
KMS is domain-agnostic the answer just clarifies a non-dependency on AD. But I would like to ask you do you keep your KMSs out of AD? (I don't think so:) ). I keep out of domain some kiosks machines on remote sites but servers for sure are AD members, WSUS included. I guess you provided explanation for general understanding? - When you hit a wrong note its the next note that makes it good or bad.
Miles Davis. I have a question about minimum activated clients. The new KMS would be installed in a new domain. There are no client machines in this domain, only servers and to make it clean I don't want to use workstations from the production domain with existant KMS. For testing Office 2013 activation I will need 5+ activated machines in a new domain. I found some KMS client simulator topics on web, that I believe could be useful. If not I have to add at least 6 workstations to Domain that will be a bit time consuming.
Could you suggest a KMS simulator? Here is one from what I found: If you have ever used a KMS Server, whether a leaked online server or a Virtual Machine like KMSMicro, you know that you need so many clients to ask the KMS Server for activation before it gives them out. If you try to activate against a KMS Server, and the client count is not at least the following: 25 for any Windows Client Operating System 5 for any Windows Server Operating System 5 for any Microsoft Office Application/Suite You will get the following error if the client count is not at that minimum: 0xC004F038 The software Licensing Service reported that the computer could not be activated.
The count reported by your Key Management Service (KMS) is insufficient. Please contact your system administrator. The problem with using a VM to create your own personal KMS Server is you need to achieve this count, and after 30 days, the count is lost, so you need to maintain the client count. So far people have been using a client Virtual Machine and scripts to boost the count, but this is a slow and hacky method and requires running 2 virtual machines. So, based on source code nosferat87 made of a KMS Server Emulator, which ZWT made the original version but nosferati87 fixed bugs in, I created a KMS Client Emulator that can boost the supported products on ANY KMS Server. Anyone is welcome to use this in however way they want, but I will have this integrated into Microsoft Toolkit and AutoKMS, so you can use KMS Servers with those applications without setting up any kind of script based on this application, or ever worrying about the count.
The KMS Client Emulator is a tiny console commandline application that can boost any KMS Server client count. It sends an activation request like a real client, spoofing it and sending a unique Client Machine ID every time, so every request is acknowledged as unique. It is a tiny application that replaces the client VMs people have been using to boost the count, is much faster, and can be easily automated. The KMS Client Emulator uses the following commandline parameters: 'KMS Client.exe' KMSPort KMSHost ClientMode KMSPort is the TCP/IP Port, usually 1688, that the KMS Server listens on. KMSHost is the IP or Hostname of the KMS Host.
ClientMode is the product you want to increase the KMS Count of. Valid Parameters: KMSPort can be DefaultPort or any number from 0 to 65535. It is usually 1688 which DefaultPort=1688 KMSHost can be any IP address or hostname. You can use DefaultHost for 127.0.0.1, or 127.0.0.1, if the KMS Server is running on the same PC as the KMS Client Emulator, otherwise use a working IP or Hostname. ClientMode can be Windows, Office2010, or Office2013. Windows will increase any Windows KMS Host count, Office2010 will boost Office 2010 KMS Host Count, and Office2013 will boost any Office 2013 KMS Host count. You cannot use Office2010 to boost Office 2013 KMS Host count or Office2013 to boost Office 2010 KMS Host count.
If you leave this blank, it will default to Windows. Examples of Use: 'KMS Client.exe' = Will use DefaultPort DefaultHost Windows, connection to 127.0.0.1:1688 and charging Windows KMS Host client count. 'KMS Client.exe' 1688 127.0.0.1 Windows = Same as the above. 'KMS Client.exe' 1688 127.0.0.1 Office2010 = Will boost Office 2010 KMS Host client count on 127.0.0.1:1688. 'KMS Client.exe' 12345 192.168.2.2 Office2013 = Will boost Office 2013 KMS Host client count on 192.168.2.2:12345.
Troubleshooting: If you enter any invalid parameters, such as Port 99999, the app won't run, and will tell you the parameter was invalid. The KMS Host you specify must be online, and listening for KMS Requests on the given Port. Any network issues or Firewall issues, or the host not listening will cause the KMS Client to end with an error code, typically 'Error 1722: The RPC Server is Unavailable'. If you try to boost a client count of a product that the KMS Host doesn't support, such as trying to boost Office2013 on a KMS Server without an active Office 2013 KMS Host Key, you will get the error 'Failed to get Activation response.'
Downloads: KMS Client Emulator 1.0 EXE MD5: 70EE065C37A1D2BBC65AD6EF693A9739 Download: Full Source:- When you hit a wrong note its the next note that makes it good or bad. Miles Davis. But I would like to ask you do you keep your KMSs out of AD? (I don't think so:) ). I keep out of domain some kiosks machines on remote sites but servers for sure are AD members, WSUS included.
I guess you provided explanation for general understanding? If there's an AD available, I use it, so, wherever possible I will domain-join a KMShost. This is of no benefit to the KMShost/service/clients itself, it's just the general benefit of having AD so that I can use a single username/password for accessing/managing the KMShost server for checking logs, patching Windows, GPO, security etc. Same reason why I domain-join WSUS (the service doesn't need it, but it makes my life as admin easier) Don doesn't work for MSFT, and they're probably glad about that;. I have a question about minimum activated clients.
The new KMS would be installed in a new domain. There are no client machines in this domain, only servers and to make it clean I don't want to use workstations from the production domain with existant KMS. For testing Office 2013 activation I will need 5+ activated machines in a new domain.
I found some KMS client simulator topics on web, that I believe could be useful. If not I have to add at least 6 workstations to Domain that will be a bit time consuming. Could you suggest a KMS simulator?
So, the 'KMSclient' does not have to be a 'Workstation' at all. A KMSclient, is simply a VL product which is configured with the GVLK product key. This includes all WinVista/Win7/Win8/Win8.1/Win10/WS2008/WS2008R2/WS2012/WS2012R2/OFF2010/OFF2013/OFF2016.
And it will soon include WS2016 (when released to VL channel). KMS does have minimum client thresholds (5 for Office or 5 for WindowsServerOS or 25 for WindowsClientOS). Note that if you do have a mixture of WindowsServerOS or WindowsClientOS, you can have any combination of those to reach the 5 or 25 minimum, eg 2.serverOS+3.clientOS=5minimum, so the serverOS minimum of 5 would be met (but not the client minimum of 25) I've never had the need for a KMShost emulator nor KMSclient emulator. I.may. have seen the KMShost emulator used in classroom training situations;) VL products don't lose any functionality if they fall out of Activated status, there's only a couple of visual markers, so if a lack of minimum threshold is a temporary situation, don't even worry about it.
Don doesn't work for MSFT, and they're probably glad about that;. So, the 'KMSclient' does not have to be a 'Workstation' at all. Don, I have no doubt of that:).
I mentioned 'servers' just because there are no workstations in the NEW domain and servers do not have Office installed and sure I will not install it on servers for KMS activation testing. After digging in a bit more.
I accessed the Server 2012 dedicated for new KMS installed by somebody. The session was locked under local Administrator account.
When logged in I found VAMT opened were I found couple of Office activated by by MAK. I checked - KMS service role is installed. When lunched the console it started with configuration wizard. This make me feel like KMS was never configured on this host, just VAMT was used. Unless that for each user profile KMS will start a config wizard (that I strongly doubt). Tomorrow I can talk to the guy who setup this machine.
I want to create clean VM. No VAMT at all (at least until KMS will work properly).
I have 6 clean client computers with Office 2013 installed from corporate image. They are on the same physical network with Main production Domain and functioning KMS. These machines not yet added to domain. Main production domain has working KMS.
Here is the scenario that I want to accomplish in order to test Office clients machines from fresh Office KMS host: 1. Install Fresh KMS with Office License Pack only (no OSes at this time). Add namespace of the domain that doesn't have KMS in it to the registry (it is the domain were KMS will be installed). Join 6 test pcs to the domain from step 2. My goal that these 6 pcs will be activated from a NEW KMS. Is there a chance that these 6 pcs will be activated from Existing and working KMS in production domain? They are on the same routable LAN (vLans) but will be in a new domain.
Is there a way to prevent activation of other machines from Existing KMS of production domain? Should some exceptions be set on working KMS, like to force to activate just one domain's machines? I guess registry setting should be done for one domain. If I correctly understood your explanation above for setting namespaces in registry. Does above plan make sense? Sure, I cannot do a terrible:) mistake and correcting KMS topic for myself by learning and doing. When you hit a wrong note its the next note that makes it good or bad.
Miles Davis.