Key Management Service – Setting it up for Windows 10 and Office 2016.

I picked up another task, which aint too bad. A simple brief, provide Key Management Services (KMS) for Office 2016 and Windows 10.

In order to license Windows 10 and Office 2016 via a KMS, you must run it on Windows Server 2012. It will not work on anything less.

This was a sticking point for my organisation, as we currently host our KMS on Server 2008. This did complicate matters, as I would have two KMS servers. Generally speaking KMS boxes aren’t load balanced, if it is even possible (I don’t think it is).

Although you can license Windows 10 via an update if you are on Server 2008 R2.

I followed the advice here, and created a security group. I then applied said group to the _VLSC DNS record, this allowing subsequent KMS servers to use it. The detailed steps from the link are:

  • Create a global security group in AD DS that will be used for your KMS hosts. An example is Key Management Service Group (don’t forget to reboot after adding the computer account to update the security token!).
  • Add each of your KMS hosts to this group. They must all be joined to the same domain.
  • Once the first KMS host is created, it will create the original SRV record. If the first KMS host is unable to create the SRV resource record, it may be because your organization has changed the default permissions. In this case, manually create the SRV RR as the section, “Manually Create SRV Records in DNS,” describes.
  • Set the permissions for the SRV group to allow updates by members of the Global Security group.

Easy enough!

Next, go to the products and features section of your KMS host to be, and apply the Volume Activation Services. Once complete, you *MUST* do the further configuration. Oddly enough, it doesn’t seem to prompt you. If you click on the VA Services section, there is a very subtle “further tasks” type link to click on. Once you’re done, it should look like this:

Oh hai.

Oh hai.

When you blow through the configuration, you can select all kinds of options, including the KMS port and the DNS zones it will publish to. You’ll also get to apply the KMS key and activate it.

It is imperative that you use the KMS HOST key here.

However I received an error when applying the Windows 10 KMS host license. a Quick Google led me to this KB hotfix Windows8.1-KB3058168-x64. The KB article is here.

I applied the KB, and I could then get my KMS host to accept the Windows 10 KMS host key.

I now had my KMS servers registered in DNS. To verify all was working, I executed the following command in a DOS prompt:

nslookup -type=srv _vlmcs._tcp

…this gave me exactly what I wanted:

I see j00 KMS.

I see j00 KMS.

Great, so I now have my new KMS servers appearing in DNS. I should be licensing stuff, right? Hmm nope! I could see my clients sending requests to all the published KMS servers, as the KMS clients were logging event ID 12288, for each KMS server however there was no subsequent event ID 12289 indicating a response from a KMS host.

This indicated that the clients were failing to find the KMS servers, as they were subsequently trying the other KMS host.

I checked the server for any corresponding event IDs 12290, but the KMS log was empty! The KMS entry for the firewall had been applied as part of the Configuration, mentioned above, and I could see the exception:

Nothing is ever easy.

Nothing is ever easy.

On a hunch, I disabled the Windows Firewall… within MINUTES the KMS log went ballistic with event ID 12290:

Let there be licensing.

Let there be licensing.


So, i now need to investigate why the firewall exceptions weren’t applied. Don’t worry, the firewall is back on!



1 thought on “Key Management Service – Setting it up for Windows 10 and Office 2016.

  1. Pingback: Key Management Service – The Volume Activation Management Tool GUI | Confessions of a Config Manager Engineer

Flame on xD

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s