Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail


Default KMS implementation for a single-site network Senario

Contoso has 100 Windows 7 Enterprise clients and a mixed set of Windows Vista, Windows Server 2008, and Windows Server 2008 R2 systems. Contoso is a flat domain ( The DNS server runs Microsoft DNS in its default configuration. This configuration supports DNS dynamic update protocol and DNS record scavenging to remove stale records.

Contoso purchases a license agreement that provides a KMS key, which will activate all of its systems. The information technology (IT) administrator installs Contoso’s KMS host key (CSVLK) on two KMS hosts running Windows Server 2008 R2 by using the following command run locally at an elevated command prompt:

Slmgr.vbs /ipk <KMS_host_key>

The IT administrator then creates a Security Group in Active Directory® Domain Services (AD DS) named KMS_Hosts. The administrator adds the servers KMS_1 and KMS_2 to the KMS_Hosts membership.

The host KMS_1 is activated against Microsoft via the Internet: Slmgr.vbs /ato. KMS_1 automatically publishes its SRV resource records (RRs) to DNS. The IT administrator accesses the DNS server, locates the RR for, and changes its permissions to give KMS_Hosts Read, Write, and Delete permission to the record. The host KMS_2 is now activated against Microsoft via the Internet: Slmgr.vbs /ato.

Finally, the administrator confirms that the KMS host exclusion is enabled in Windows Firewall. The Key Management Service firewall exception needs to be enabled.

KMS clients on the Contoso network query DNS and receive the SRV records for both KMS hosts. The clients pick one or the other host and are activated (as soon as the KMS count rises above the threshold). See the section, “Activation Policy Values,” for more information about KMS count requirements.