ADFS, WAP and updating their public certificates

Renewing public certificates within an environment is always a bit of a pain – especially when you use the same certificate on a range of different systems and have to update each manually! When you’ve got a number of web-based systems that you publish externally, using a reverse proxy such as a Microsoft Web Application Proxy (WAP) can make the task a little less tedious.

With WAP, you can use a single wildcard certificate to publish any number of web-based services to the public internet. When you need to update the public certificate, you only need to update it in the one place – you don’t need to update each individual web service. In addition, WAP can also act as an Active Directory Federation Services Proxy (ADFS Proxy) – this allows you to present your ADFS infrastructure to the public internet without directly exposing your ADFS server(s).

In general, ADFS and WAP should go hand-in-hand. Internal clients hit the ADFS server directly (via the ADFS namespace), while external clients communicate via the WAP. By doing this, you can also set up different rules in ADFS to define what should happen for external authentication requests, compared to internal authentication requests (e.g: 2-factor auth for external, windows auth for internal).

Now, both ADFS and WAP need to have a public-signed certificate. What happens when those certificates expire? Obviously you need to renew them and update the configuration – which is what prompted me to write this article. Usually this is a pretty simple process – you import the new certificate into the local computer certificate store on each of your ADFS/WAP servers, then update the configuration.

Initially I noticed I was getting the following in the event logs of the WAP server:

I had a look at the certificate on the ADFS server and sure enough, the certificate thumbprint matched the expired certificate on the ADFS server. Since I was using that certificate on the WAP server as well, I needed to update it in both systems. I started by importing the new public wildcard certificate into both the ADFS and WAP servers.

The next step is to update the configuration. For ADFS, you can pull up the ADFS console and go to the Service\Certificate node. From there, you select the ‘Service Communications’ certificate, hit the ‘Set Service Communications Certificate’ link, then follow the wizard. Then in the ADFS event log I started getting:

Whoops, I forgot to give access to the service account for the private key! In the Certificate Management console, locate the public cert, right-click, select ‘All Tasks’ – ‘Manage Private Keys’ and make sure the service account has full access. I restarted the ADFS service (adfssrv) and the ADFS server looked to start up successfully. Or so I thought.

Assuming ADFS was all good, I then proceeded to update the main proxy certificate in WAP. To do this you really only have the option to use a powershell command:

…and of course I was still getting trust errors. In the end I removed and re-added the WAP role to the server (it was a development environment – and since the rules and configuration are stored with ADFS, it’s wasn’t a huge issue). When trying to re-create the trust to the ADFS server via the wizard, I was getting a trust error – along with the following in the event log:

Odd. I could resolve and ping the ADFS server (both directly and via the ADFS namespace) – and the credentials used were an administrator on the remote server. The new certificate was showing correctly in the ADFS console, and the event logs on the ADFS server indicated it was all fine. So I started going through all the config via Powershell instead. After a bit of investigation, I ran the Get-AdfsSslCertificate  command. Despite the ADFS console showing the correct certificate, powershell was still showing the old one!

I ran: Get-ChildItem -path cert:\LocalMachine\My  to get the thumbprint of the new certificate, then Set-AdfsSslCertification thumbprint <newthumbprint>  to set it. I restarted the service with  Restart-Service adfssrv and double-checked the certificate. Ok, NOW we were looking good.

As it turns out, the GUI wizard will update the configuration in the ADFS database, but not the binding on HTTP.sys.

I re-ran the WAP wizard and everything started working correctly.

One other thing to take note of – the above commands are all about updating certificates specifically for ADFS and the ADFS Proxy (WAP) – if you have additional published rules in WAP, you’ll need to update the certificate thumbprint against those as well!

 

Windows 10 Fast Startup Mode – Maybe not so good for enterprise!

Windows 10 includes a feature called “Fast Startup”, which is enabled by default. The whole idea behind this feature is to make it so computers don’t take as long to boot up after being shut down (rather than going into hibernation or sleep). It achieves this by essentially using a cut-down implementation of Windows Hibernation. Instead of saving all user and application state to a file like traditional hibernation, it only saves the kernel and system session to the hibernation file (no user session data) – that way when it “turns on”, it loads the previous system session into RAM and off you go. Its worth noting that this process doesn’t apply to reboots – only shutdowns. Reboots follow the traditional process of completely unloading the kernel and starting from scratch on boot-up.

Obviously, it’s a great idea for consumers – quicker boot-up and login times = happy consumers.

When you start using it in a corporate environment though, you can start running into some issues – primarily:

  • It can cause the network adaptor to not be ready prior to the user logging in. If you’re using folder redirection (without offline files – for computers that are always network-connected), then this isn’t such a good thing. It’s also not such a great thing for application of user-based group policies that only apply during login.
  • Some Windows Updates require the computer to be shut down/rebooted for them to install correctly. In the case of Fast Startup, the system isn’t really shutting down – it’s hibernating. Since users in corporate environments quite often just “shut down” at the end of the day (hibernate with Fast Startup), these updates don’t get installed. Of course there’s ways around this (have SCCM prompt the user to reboot, for example), but they’re not always an acceptable solution for every customer.

Obviously if the computer doesn’t support hibernation, there’s no issues.

If you’d like to disable Fast Startup, there doesn’t seem to be a specific GPO setting – you’ll have to use Group Policy Preferences instead. The relevant registry setting is here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power\HiberbootEnabled    (1 = enable, 0 = disable)

Windows 10 Photos App – Invalid Value for Registry / Repairing Windows 10 Universal Apps

One of our clients had a user with a weird issue today – whenever they tried to open a photo, they’d get the following error:

win10photos-invalidregistry

When looking at the PC, they had all image formats set to use the built-in Windows 10 Photos application. If you try to open the application separately, you get the exact same error – so obviously the application was broken somehow.

After a little research, I discovered other users with the same issue – and of course, many of the suggested solutions were ridiculous (sfc /scannow – seriously?!).

As it turns out, there’s actually quite a simple fix – and it’s built into Windows.

  1. Navigate to Start – Settings – System – Apps & Features
  2. Scroll down to ‘Photos’ and click on it
  3. Click ‘Advanced Options’
  4. Click ‘Reset’

Give it a minute or so, then try it again – it should now work!

As an aside, you can do this with any of the Windows 10 Universal Applications!

Microsoft Exchange Federation Certificates – Keep an eye on the expiry!

I recently had a client experience an issue with their hybrid exchange setup (365/On Premise) – users were suddenly unable to retrieve free/busy and calendar information between the two environments. As it turns out, the certificate used to secure communications to the Microsoft Federation Gateway (MFG) had expired.

Federation certificates within exchange are generally created as part of the federation creation wizard (or the 365 Hybrid Configuration Wizard) – so in most cases, people don’t realise they’ve been created. If you’re not actively monitoring certificate expiry dates on your servers (which you should be!), you may get into the situation where this certificate expires – which results in the federation no longer working.

Why is it important to renew it before it expires? Because if you don’t, you need to remove and re-create the federation – a significantly larger task than the federation certificate renewal process. The reason for needing to re-create the trust is due to the fact that the federation certificate is used to authenticate any changes to the federation – so once it expires you can’t make any changes and have to start from scratch. Lets take a look at the steps involved in both:

Renewing before expiry:

  1. Create a new self-signed federation certificate
  2. Set the new certificate as the ‘Next’ certificate in the federation trust
  3. Wait for AD replication
  4. Test the certificate and trust (Test-FederationTrustCertificate, Test-FederationTrust)
  5. Roll-over the ‘Current’ certificate to the ‘Next’ certificate
  6. Refresh the federation metadata

Renewing after expiry:

  1. Document the existing trust settings (federated domains, federation settings)
  2. Force remove each federated domain from the federation
  3. Remove the federation trust
  4. Wait for AD replication
  5. Create a new self-signed federation certificate
  6. Create a new federation trust
  7. Update the trust organisation information
  8. Configure the required settings in the trust (as per the documentation you created in step 1)
  9. Wait for AD replication
  10. Test the certificate and trust (Test-FederationTrustCertificate, Test-FederationTrust) – it can take 12-48 hours before the trust reports as being no longer expired!
  11. Add each of the federated domains back into the trust (this will involve generating domain ‘Proof’ entries and adding them to your external DNS, then waiting for DNS propagation)

So in short, don’t let your federation certificates expire!

Decommissioning Skype for Business 2015 on premise after migrating to O365

Depending on how you utilise Skype for Business, you may have no requirement to maintain a hybrid environment once all users are within Skype for Business online.

Documentation around decommissioning the on premise environment was surprisingly sparse.

One of the better documents around web was here – but it still stopped a little short, in my opinion.

So below is my attempt at rounding this process out.

 

All steps below assume you have already migrated all users to Skype for business and that you are aware of the requirements to stay in hybrid depending on your EV setup. If you are unsure, do not start this process.

 

Step 1 – Update DNS entries

This document really nails the DNS changes required, so good work Mark Vale. I am going to paraphrase the article a little, just so it’s all in one place.

Depending on your environment, you have a fair idea of idea of how long you need to wait externally and internally for convergence. This will lead to downtime, so it is wise to perform this outside of business hours.

Its also wise to take a backup of your existing values, just in case.

External DNS changes

ActionDNS Record NameTypeValue
ModifySipCNAMEsipdir.online.lync.com
ModifylyncdiscoverCNAMEwebdir.online.lync.com
Modify_sipfederationtls._tcpSRV0 0 5061 sipfed.online.lync.com
Modify_sip._tlsSRV0 0 443 sipdir.online.lync.com
DeleteDialinA
DeleteMeetA/Cname
DeletelyncwebA/Cname
Delete_xmpp-serverSRV

 

Internal DNS changes

ActionDNS Record NameTypeValue
Add_sipfederationtls._tcpSRV0 0 5061 sipfed.online.lync.com
ModifysipCNAMEsipdir.online.lync.com
ModifylyncdiscoverCNAMEwebdir.online.lync.com
DeletelyncdiscoverinternalA
DeletedialinA
DeletemeetA
DeletelyncwebA
Delete_sipinternaltls._tcpSRV

after completing these updated, check via the O365 portal that O365 is reporting the Skype DNS entries as all good. I find this is generally pretty quick, so I assume that the source DNS server is used for DNS record checks and it doesn’t have to wait for convergence.

 

Step 2 – Check functionality

After an appropriate convergence time, check that all functionality is working before moving on to further steps.

Again, this depends on the size of your environment and your internal and external DNS configuration.

Marks post has a couple of scripts you can run if you wish to speed up the process internally.

 

Step 3 – Disable Shared SIP Address Space

Ensure you have the Skype for business powershell module

  • Import-Module LyncOnlineConnector
  • $credential = Get-Credential “<yourSkypeForBusinessAdminAccount”
  • $session = New-CsOnlineSession -Credential $credential
  • Import-PSSession $session
  • Set-CsTenantFederationConfiguration –SharedSipAddressSpace $false

 

Step 4 – Uninstall on premise components

On one of your home servers

  • Open the Skype for Business server control panel or PowerShell (whichever way you prefer)
    • Remove all objects possible (see Phase 3 of this document). These will vary greatly, so I have not listed all of the things to remove, but let me know if you are having trouble with one.
  • Open the Skype of Business topology manager
    • Download your existing topology
    • Remove configuration and components to allow you to strip the environment bare
      • Remove global routes to your edge servers, which will allow the edge servers to be removed
      • Remove application servers
      • Remove any configuration pointing to your mediation servers, then remove them
      • Remove persistent chant pools
      • Remove everything you can, which will be everything except the last server where your CSS is stored (if running standard)
    • Publish the topology
      • Run Skype for Business Server Deployment wizard on the edge and mediation (if this is co-located, there will not be additional mediation servers) servers, and allow it to remove all roles
      • These servers can now be switched off
  • Open the Skype of Business topology manager
    • Download your existing topology
    • Now when right clicking on your final server, if you to “topology” you will have an option of “Remove Deployment”
    • Select this and publish your topology again
  • Open Skype for business management shell
    • Get-CsConferenceDirectory | Remove-CsConferenceDirectory -Force
    • Publish-CsTopology -FinalizeUninstall
    • Run C:\Program Files\Skype for Business Server 2015\Deployment\bootstrapper.exe /scorch
    • Remove-CsConfigurationStoreLocation
    • Disable-CsAdDomain (This will remove the RTC groups from your AD permissions structure)
    • Disable-CsAdForest ((This will remove the CS* groups from your AD)
    • I found once this had completed, a couple of RTC groups still existed under the “users” container. This is likely due to the fact that the domain has hosted versions of Lync/OCS etc. sync LCS 2005. I deleted these manually.
  • Once this was completed, shut down your last Skype for business server on premise.

 

 

References

Mark Vale, August 17 2015, Decommissioning Skype for Business Hybrid and Going Cloud Only

Microsoft,  September 11 2013, Decommissioning a Deployment

Microsoft, March 26 2012, Remove-CsConfigurationStoreLocation

Microsoft, April 12 2011, Publish Final Topology and Remove Last Front End

Scripting Office 365 licensing with disabled services

In the past I’ve had a few clients request scripts to automatically set/assign licenses to users in Office 365 – Generally pretty simple stuff. Recently I had a client ask to disable a particular service within a license – again, not all that difficult – unless you want to actually check if a license/service is already configured correctly (and not make any changes if it is). Took a little while to work out, so figured I’d share the love!

Just to set a license for a user is a pretty simple process – all you need is the license ‘SkuId’ value of the relevant license. To get a list of the ones available in your tenant, run: Get-MsolAccountSku You’ll get a list of the available license SkuId’s and how many are active/consumed. In this article we’ll use an example SkuId of Contoso:STANDARDWOFFPACK_IW_STUDENT. Once you have the SkuId, all you need to run to assign the license is:

You’ll notice that the code above sets the location first – this is required, as you can’t apply a license without a location being set! What if you didn’t want to have all the applications available for the user? For example, the above license includes Yammer Education. In this case, we need to create a ‘License Options’ object first.

 So where did we get the “YAMMER_EDU” from? You can list the available services for a license by running:

What if we wanted to disable multiple services in the License Option? The “-DisabledPlans” option accepts a comma-separated list. For example:

Ok, so now we know how to get the available licenses and related services – as well as how to assign the license to the user. What if we wanted to check if a license is assigned to a user first? Personally, I’m not a huge fan of just re-stamping settings each time you run a script – so I thought I’d look into it. The easiest method I’ve found is to try bind to the license, then check if it’s $null or not:

From there we can do whatever we want – if the license is found and that’s all you care about, you can skip – otherwise you can use the other commands to set the license.
So what if we also want to make sure YAMMER_EDU is disabled as well? That’s a little trickier. First we need to bind to the license like we did above, then we need to check the status of the relevant ‘ServicePlan’.

At this point it’s probably a good idea to talk about the structure of these objects – you may not need to know it, but for anyone trying to modify these commands it might be helpful:

  • A ‘User’ object contains an attribute ‘Licenses’. This attribute is an array – as a user can have multiple licenses assigned.
  • A ‘License’ object contains two attributes relevant to this script; ‘AccountSkuID’ and ‘ServiceStatus’
    • AccountSkuId is the attribute that matches up with the AccountSkuId we’re using above
    • ServiceStatus is another array – it contains an array of objects representing the individual services available in that license – and their status.

The two attributes attached to a ‘ServiceStatus’ object that we care about are:

  • ServicePlan.ServiceName – this is the name to match the service above (eg: YAMMER_EDU)
  • ProvisioningStatus – this can be a bunch of values, but mostly ‘Success’, ‘Disabled’ or ‘PendingInput’. I’d assume there’s also ‘Provisioning’, but I’ve never seen it.

With this in mind, we can put together a script like the following – it reads the UPN and AccountSkuID from a CSV file, though you could use whatever source you like and update the script accordingly.

Note: In order to run this script, you’ll need:

 

Automating Mailbox Regional Settings in Exchange Online

When you migrate (or create) a mailbox in Exchange Online, the first time a user goes to open their mailbox they are prompted to select their Timezone and Language. I recently had a client ask for a more automated method of pre-populating these values, so thought I’d have a look into it.

Of course, there’s no global way to define these settings for users before they get a mailbox, so the settings have to be set once the mailbox has been migrated – this really only leaves the option of a custom powershell script – either something you run after each migration (or creation), or on a periodic schedule.

First, to the settings themselves. As it turns out, you can use the same commands that you’d use in on premise Exchange: Get-MailboxRegionalConfiguration and Set-MailboxRegionalConfiguration – which also means this script could be adapted to be used on premise as well. The two settings we’re concerned with here are “Language” and “TimeZone”. Since the client we’re dealing with here is solely based in Australia, we’re going to be setting all users to a language of “en-AU”. For the TimeZone, Microsoft provide a list of valid values here: https://support.microsoft.com/en-us/kb/2779520

Except that they’re missing two Australian time zones. The actual valid values for Australia are:

  • AUS Central Standard Time – Darwin
  • Cen. Australia Standard Time – Adelaide
  • AUS Eastern Standard Time – Canberra, Melbourne, Sydney
  • E. Australia Standard Time – Brisbane
  • Tasmania Standard Time – Hobart

So with that in mind, we can use the following commands:

Since we’re talking about a national business with users in different time zones, the time zone value is going to need to change for each user. In order to automate this, we’ll need some source information available that indicates in which state the user is located – ideally, you’re going to be using the ‘Office’ field in the user’s AD account – though obviously you could use any available attribute. The reason I recommend ‘Office’ (or ‘physicalDeliveryOfficeName’) is because it’s synchronised to Office 365 with the user account (and becomes ‘Office’).

Note: You don’t actually need the value in Office 365 – if you’re running the script on premise, you can query your AD directly and ignore the attributes in 365. When I wrote the script I opted to solely use data that was in Office 365 – primarily because I was developing the script remotely and didn’t have direct access to their AD – so if you want to use your local AD instead of values in 365, you’ll need to modify the script!

For this client, the ‘Office’ value for each user is prefixed with the state (ie: SA, NSW, QLD, WA) – so it was relatively simple to use a ‘Switch’ function in Powershell (similar to a ‘Case’ statement in vbscript).

In order to use the script, you need the following:

You’ll also need to update the 5 variables at the top of the script (paths, etc), as well as the Time Zones (and criteria) in the Switch statement.

 

Using Azure RM Site to Site VPN with a Dynamic IP

In the interests of saving a bit of money, I decided to switch my ADSL service from an expensive business connection to a cheap residential connection. In Australia this also means switching from a static IP address to a dynamic IP address. With most web-based services now able to be proxied via Microsoft’s Web Application Proxy (and other services using unique ports), it seemed like everything would be fine with a combination of a Dynamic DNS service and port forwarding. I only run a development environment at home, so if I could save some money without any real impact, all the better!

After I made the switch, I realised that I’d forgotten about my site-to-site VPN between my development environment and Azure Resource Manager (AzureRM). For those familiar with AzureRM and Site to Site VPN, you’ll know that your on premise IP address is configured in a “Local Network Gateway” object. I thought perhaps that you could enter a DNS entry in the IP address field – no such luck.

So I had a look around online to see if anyone else had some easy solution I could poach. While I could find a solution for Azure Classic, the objects are completely different in AzureRM (and the powershell commands are different) – so while it gave me a direction, I couldn’t use the solution as-is. So I had a look at the available AzureRM powershell cmdlets – primarily Get-AzureRmLocalNetworkGateway  and Set-AzureRmLocalNetworkGateway . The problem I came across was that ‘Set’ command really only accepts two parameters – a LocalNetworkGateway object, and AddressPrefix (for your local address spaces). No option to change the Gateway IP. The documentation didn’t give any additional information either.

Based on previous experience with powershell, I had assumed that the LocalNetworkGateway input object would need to refer to an existing object. As a last resort, I decided to try modify it before setting anyway – and it worked! So essentially we can do something like:

Obviously this is a fair way from an automated solution that can be run on a schedule! In order to put it into a workable solution, the following overall steps need to be taken:

  1. Configure a dynamic DNS service (such as www.noip.com) – this’ll need to be automatically updated via your router or client software
  2. On the server that will be running the scheduled task, install the Azure Powershell Cmdlets (as per https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/)
  3. Create an administrative account in Azure AD that has administrative access on the subscription (they must be listed in the Azure Classic portal under Settings > Administrators). It’s important to note that when using the Login-AzureRM Credentials  command that the credentials used must be an ‘organisational account’ – you can’t use a Microsoft Live account (even if it’s a subscription administrator).
  4. Use some method of saving credentials for use in Powershell. I prefer to use a key-based encryption so it’s transportable between computers – a guide on doing this can be found here: http://www.adminarsenal.com/admin-arsenal-blog/secure-password-with-powershell-encrypting-credentials-part-2/
  5. Update the following values in the following script:
    1. DynDNS: the external DNS entry that resolves to your dynamic IP
    2. SubscriptionName: the name of your Azure subscription. This can be retrieved using Get-AzureRMSubscription
    3. User: the organisational administrative account
    4. PasswordFile: the file containing the encrypted password
    5. KeyFile: the file containing the encryption key (obviously you want to keep this safe – as it can be used to reverse engineer the password!)
    6. Address Prefixes on line 42.
  6. When running the script via Task Schedule, ensure you also specify the ‘Start In’ directory – otherwise you need to hard code paths in the script.

 

 

KMS Guide

Updated on :  11/08/2016 (Windows 10 KMS patch compatibility)
Relevant to:   KMS – all versions


KMS seems to be one of those things that is sometimes quite poorly understood – and many existing blog articles or pieces of documentation seem to gloss over important details (IMO). So, below is my attempt.

Concepts

 MAK – Multiple Activation Key

This type of key is intended to be used on multiple computers, but must be entered manually, via VAMT or in an SCCM task sequence. The activation process occurs once per machine either directly over the internet, via a MAK proxy or via telephone.

The MAK activation method is best suited for

  • Small organisations with 25 or less computers
  • Organisations who have certain machines which are not domain joined and/or do not connect to the business network regularly

KMS – Key Management Server(s)

A Key management server is a service which provides activation on behalf of clients. The KMS server is activated once, and in turn, clients will auto-locate and activate against the KMS service. (more about the details a bit later)

KMS Key – Key Management Server Key

This type of key is intended to be used on a Key Management Server to provide activation for clients and has a couple of important factors:

  • KMS requires what is called an “activation threshold”, which basically means that until you have more than 25 Windows 7/8/8.1 activations or more than 5 Windows Server 2008 R2/2012/2012 R2 activations, the KMS server is not active
  • To remain active, KMS clients must contact the KMS server once every 180 days. If it does not, the client will start showing activation messages.

Volume licensing

I would imagine that if you are reading this blog you are familiar with what volume licensing is. KMS and MAK are both used for volume licensing customers, you cannot activate retail or OEM operating system installs using these methods.


Decisions to be made prior to install

KMS or MAK

Many organisations we deal with use both.

If a machine is off the network for long periods of time or is not domain joined, use a MAK. (Please note that non-domain joined machines can still use a KMS, but usually there is a reason they are not domain joined, which may also mean they cannot access the KMS!)

For all the domain-joined, generally on the network machines, use KMS.

Choosing a KMS key

In my opinion, the Microsoft doco @ http://technet.microsoft.com/en-us/library/ff793412.aspx and http://technet.microsoft.com/en-us/library/ee939271.aspx makes it sound complex.

In short, go with the “highest” version of server you have available and it can then activate everything “below” it.

For example:

If you utilise the Server 2012 R2 standard key (KMS B), it can act as an activation server for 2008R2/2012/2012R2 standard and Win7/8/8.1, but it cannot activate datacentre editions.

If you utilise the Server 2012 R2 datacentre key (KMS C), it can activate other datacentre editions as well as all 2008R2/2012/2012R2 standard/datacentre and Win7/8/8.1.

“But I only want to license Windows 7 machines!” the response frequently comes back.

A KMS key will also license all products that are “lower” in the tree, so using a server 2012 R2 standard KMS key will allow you to license all windows 7 machines (as well as windows 8/8.1 and server 2008R2/2012/2012 R2)

“So why do I have a Windows 7 KMS key then?” is the next question

This is because it is an option to install a KMS on Windows 7, simple as that. This is something we would generally advise against, as most organisations that use a KMS would use it for their servers and workstations.

Choosing a KMS server – OS Version

Using the newest operating system in your environment generally means that you will not need to download additional updates or patches, so simply for that reason, we would recommend using the newest OS version you have available.

Choosing a KMS server – Server load & placement

The KMS role is a very low-load role and we have never had any issues co-locating it with other roles. One common pairing is placing the KMS role on the SCCM primary site server (for organisations of up to 5000 PC’s)

For larger organisations, we see various approaches. Some have dedicated KMS servers, some co-locate on other services.

This section is here because often people ask what the load is like and can be co-located with other roles. The short answer is, very low load service and it be co-located with anything that doesn’t need TCP 1688.

KMS publishing and load balancing

KMS, by default listens on port TCP 1688 and will (by default) publish a DNS SRV record to allow domain-joined clients to locate the KMS service. The record created is called _vlmcs

Windows 7/2008 R2 and above volume license operating systems automatically look for this DNS record.

SRV records have a weight and priority associated with them, and this, by its nature, allows multiple KMS’ to be published and administrators to use them in a round-robin scenario (same priority) or in a fault-tolerance scenario (different priorities)

It is possible to disable publishing for a KMS service, but this is not something we have ever done – and we are not quite sure of a scenario where this would be helpful (but this doesn’t meant there isn’t one!)

KMS1

Patching KMS to support Windows 10

In order to support Windows 10, you will need to patch your 2008R2, 2012 or 2012R2 KMS server as per

https://support.microsoft.com/en-au/kb/3086418


Office KMS

Office 2010 and 2013 have KMS add-on packs, that can be installed on an existing KMS server, these are available at:

Office 2010 KMS Host – http://www.microsoft.com/en-au/download/details.aspx?id=25095

Office 2013 KMS Host – http://www.microsoft.com/en-us/download/details.aspx?id=35584

Office 2016 KMS Host – https://www.microsoft.com/en-us/download/details.aspx?id=49164


Installing KMS + Office KMS step by step

These steps remain the same whether you are installing on Windows 2008 R2, 2012 or 2012 R2.

  • Decide which server will host your KMS. We recommend utilising the latest server version you have access to and the highest “edition” (at the time of writing, this is Server 2012 R2 Datacentre)
  • Logon to the server and open an elevated command prompt (this process will fail if you do not elevate the command prompt!)
    • C:
    • Cd windows\system32
    • Cscript slmgr.vbs /ipk <your product key, with the dashes>
    • Cscript slmgr.vbs /ato
  • You now have a KMS server
  • To verify the install and look at the number of currently activated machines
    • Cscript slmgr.vbs /dlv

KMS2

  • To install the Office KMS host (we will use 2013 in this example, however it is very similar to the 2010 process)
    • Download the KMS host update from the links above
    • Run the install
    • Enter your product key when prompted
  • To verify the install and look at the number of currently activated machines
    • Cscript slmgr.vbs /dlv all
    • Look for the appropriate office 15 (or 14) section

KMS3


Common questions

Question:            I want to move my KMS server, how do I move the activation database etc.?

Answer:               There is no activation database or anything that needs to be moved. Simply create a new KMS, install the KMS key and activate. Then decommission the “old” KMS by running slmgr.vbs –upk (uninstall product key) and then either delete the “old” _vlmcs record from DNS, or use slmgr.vbs -cdns

Question:            If my KMS client is off the network for more than 180 days, what do I do ?

Answer:               Simply re-attach it to the network, it will find the KMS server and renew its activation. If the client will regularly be off the network for more than 180 days, it would be wise to consider using a MAK for this client.

Question:             The SRV record has not registered in DNS.

Answer:                Sometimes a restart of the KMS service is required. Net Stop sppsvc then net start sppsvc

Sometimes, if an existing record already exists from a previous KMS, you may need to grant permissions over the DNS record, but frankly, its easier just to delete it and restart the KMS service (command above)

 


Common mistakes

Mistake: Using a KMS key on a number of client machines, either because the difference between MAK and KMS wasn’t clear, or my licensing person gave me the wrong key.

This can be quite easily fixed by changing the key on the affected clients :

Mistake: Deploying MAK keys in a task sequence, when you actually want to use a KMS.

If you want to use KMS, simply leave the product key section in your task sequence blank.

To “fix” existing clients, you will need to identify the machines with a MAK and install the default KMS key. The VAMT can be used to help identify and update these machines.

Mistake: Using the windows 10 KMS key on a server results in Error 0xC004F015

You need to use the server KMS keys on a server OS (as discussed above), please read the above article or visit https://support.microsoft.com/en-us/kb/3086418


Official doco references

Understanding MAK activation – http://technet.microsoft.com/en-us/library/ff793435.aspx

Understanding KMS activation – http://technet.microsoft.com/en-us/library/ff793434.aspx

Default KMS keys – http://technet.microsoft.com/en-us/library/jj612867.aspx

Deploying KMS – http://technet.microsoft.com/en-us/library/ff793409.aspx