Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail


Default KMS implementation for a single-site network Senario

Contoso has 100 Windows 7 Enterprise clients and a mixed set of Windows Vista, Windows Server 2008, and Windows Server 2008 R2 systems. Contoso is a flat domain ( The DNS server runs Microsoft DNS in its default configuration. This configuration supports DNS dynamic update protocol and DNS record scavenging to remove stale records.

Contoso purchases a license agreement that provides a KMS key, which will activate all of its systems. The information technology (IT) administrator installs Contoso’s KMS host key (CSVLK) on two KMS hosts running Windows Server 2008 R2 by using the following command run locally at an elevated command prompt:

Slmgr.vbs /ipk <KMS_host_key>

After you specify the GVLK key, the KMS client tries to connect to the previously configured KMS server or find a special SRV (_VLMCS) record in the DNS that is created when you install a new KMS server in the domain and pointing to your KMS server. After KMS server discovery, the client performs the OS activation.

You can skip this step if your DNS has a valid SRV record that allows clients to find the KMS server.

Tip. You can check this DNS entry using the nslookup command:

nslookup -q=SRV

If the client does not find the KMS server automatically, then you can specify the address of the KMS server manually using the slmgr with the option /skms. You can also specify the TCP port on which the activation service listens (by default 1688):

slmgr /skms <KMS_server_name_or_IP>:1688

Then you can activate the windows with KMS server:

Slmgr /ato

To confirm the status:

slmgr /dli

The IT administrator then creates a Security Group in Active Directory® Domain Services (AD DS) named KMS_Hosts. The administrator adds the servers KMS_1 and KMS_2 to the KMS_Hosts membership.

The host KMS_1 is activated against Microsoft via the Internet: Slmgr.vbs /ato. KMS_1 automatically publishes its SRV resource records (RRs) to DNS. The IT administrator accesses the DNS server, locates the RR for, and changes its permissions to give KMS_Hosts Read, Write, and Delete permission to the record. The host KMS_2 is now activated against Microsoft via the Internet: Slmgr.vbs /ato.

Finally, the administrator confirms that the KMS host exclusion is enabled in Windows Firewall. The Key Management Service firewall exception needs to be enabled.

KMS clients on the Contoso network query DNS and receive the SRV records for both KMS hosts. The clients pick one or the other host and are activated (as soon as the KMS count rises above the threshold). See the section, “Activation Policy Values,” for more information about KMS count requirements.