Using a KMS Server

KB ID 0000582

Problem

Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”

I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).

1. Locate your “Windows Server 2008 Std/Ent KMS B” Key > From command line issue the following command;

[box]

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

[/box]

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

3. Now we need to activate the Windows Server > Run the following command;

[box]

c:\Windows\System32\slui.exe

[/box]

Select “Activate Windows online now” > Follow the on screen prompts.

4. When complete, it should tell you that it was successfully activated.

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

2. From your client machines you can test that they can see the SRV record, by running the following command;

[box]

nslookup -type=srv _vlmcs._tcp

[/box]

Note: If this fails, can your client see the DNS server? And is it in the domain?

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

[box]

cscript c:\Windows\System32\slmgr.vbs /dli

[/box]

4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

[box]

cd c:\windows\system32
slmgr /dli

[/box]

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the “Microsoft Office 2010 KMS Host License Pack“.

3. When prompted type/paste in your “Office 2010 Suites and Apps KMS” product key > OK.

4. It should accept the key.

5. Press {Enter} to close.

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com 
cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /act 

[/box]

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /act [/box]

Related Articles, References, Credits, or External Links

KMS Activation – Error: 0xC004C008

Exchange AutoDiscover Errors – Creating an AutoDiscover SRV Record

KB ID 0001184

Problem

Ages ago I wrote the following article;

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

You used to see this error a lot if your internal, and external domain names were different, and the ‘public’ domain name was on the certificate, in those cases I’d also setup split DNS like so;

Windows – Setting Up Split DNS

But you can simply create a DNS SRV record that your clients will use for Autodiscover.

Solution

Note: Before proceeding MAKE SURE you DON’T have an A record in your domain, for “autodiscover.{your-domain}”. or a CNAME record for autodiscover that points back to your Exchange. We want an SRV record ONLY.

Within your domain DNS, create a new ‘Other‘ record.

Choose service location (SRV) > Create Record.

Your domain name will be entered automatically, set the following;

  • Service: _autodiscover
  • Protocol: _tcp
  • Port number: 443
  • Host offering this service: {The FQDN of your CAS/Exchange server}.

You will need to expand the _tcp folder to see the record.

I Use Split DNS?

No problem, in your internal DNS, the forward lookup zone (that matches your public address space.) Create an SRV record as well, when you are finished, (if you have set it up properly),  you will see a tcp sub folder appear below the forward lookup zone.

What About My Public DNS Settings?

Exactly the same! Remove any A or CNAME records, and create an SRV record, how you do this, varies from DNS host to DNS host. Some oddities I’ve found;

  • Some public DNS vendors wont let you set a priority of ‘0’ Zero, on an SRV record, just use 1 (unless you have multiple ones!)
  • Some public DNS vendors SRV records don’t work, unless you put a ‘full stop’ at the end of the domain name. (In fact all domain names have a full stop at the end of them, it’s just you can’t normally see them!)

As an example, here’s me creating an SRV record on my DNS hosting provider (Vidahost)

So when it’s created it will look like this;

I’ve got Multiple Public E-Mail Domain names running from the same Server?

Again not a problem, for each domain, delete the A and CNAME records for autodiscover. Then point your SRV record to the DNS name that is actually presented by the Exchange server (even if that’s with another DNS vendor).

Why Does This work?

Well I’m glad you asked! When outlook looks for Autodiscover the first thing it does is look for the Autodiscover SCP point in your Active Directory. You can see this in your  ‘AD sites and services’, (you need to add in the Service node from the view options before you can see it).

If it can’t get a response from there, it takes your domain name and tries the following locations;

[box]

https://{domain-name}/autodiscover/autodiscover".fileExtension
AND
https://autodiscover.{domain-name}/autodiscover/autodiscover".fileExtension

[/box]

Note: The file extension is usually .xml but it can be .svc

If it STILL can’t get a response it tries the following;

[box]

http://autodiscover.{domain-name}/autodiscover/autodiscover.xml

[/box]

Note: If you are wondering that the difference is, that’s on port 80 not port 443.

If it STILL can’t get an answer then to looks for the SRV record in DNS you created above.

How To Test the AutoDiscover SRV Record

It’s a DNS record so we can query it with nslookup to make sure its OK.

[box]

nslookup -q=srv _autodiscover._tcp.{domain-name}
OR

nslookup
set q=srv (or you can use SET TYPE=SRV)
_autodiscover._tcp.{domain-name}

[/box]

Like this;

Or if you use macOS or Linux;

Why Do I have to remove my A and CNAME Records for Autodiscover

If they exist they will get used before the SRV record, you may think that’s fine but it may lead to all sorts of horrible Outlook Setups and errors about certificate names. 

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

Related Articles, References, Credits, or External Links

Outlook – Constantly Prompts for a Password

Original article written: 12/05/16

Setting up the Correct DNS Records for your Web or Mail Server

KB ID 0000567 

Problem

Simply purchasing a domain name is not enough to get email flowing in your direction, and people onto your website. you also need your DNS Records to point to your IP address(s) as well.

For those people, that needs either an email or fax (on company headed note paper) to request that these records be set up correctly. You will need to send this request to your ISP (or whoever is hosting your public DNS records).

This runs through what information you should request and why.

Remember if you have a security device on the outside of your network (like a firewall or a router providing firewall services) the correct ports will need to be open to your web server (usually TCP Port 80 and/or 443), or your mail server (TCP Port 25, though Exchange may require 443 for OWA and ActiveSync).

Note: This assumes your ISP has given you either a static public IP address, or a range of public IP addresses. While it is possible to use services like no-ip if you don’t have a static IP address.

DNS Records – Web server Requirements

DNS Records – Mail Server Requirements

Solution

Setting up DNS Records for a Web Server (A Records)

I’m not bothered how it works, what do I need to send to my ISP?

To get to http://www.yourwebsite.com people need to be able to translate that address to the IP address of your web server. You do this by sending a “query” to a DNS server, which either checks with other DNS servers, or sends you the IP address directly.

1. You need to purchase your domain name. This may sound obvious but I’ve seen people who own companya.com, simply add company.co.uk to their Exchange server and expect it to work!

2. This website is on my petenetlive.com domain, the people who host my DNS records have a record called an “A Record” (may be called a “host” record depending on your ISP) that points www to the public address of my website, like so;

Note: Above I’ve shown you how the record would look in a Windows DNS server, just so you can get an idea of what these records are that you are requesting. (also they take seconds to create, don’t let your ISP take ages to do this!).

Testing your DNS Host Records

On a windows client you have a command that can test, and show you what your machine sees when it looks for DNS records, this is called nslookup, below you can see I’m issuing a query to see what IP address www.petenetlive.com should be on.

Note: I’m not on this IP address, I’ve just set it up this way for the purpose of demonstration. Drop to command line and issue the above command and you will see my real current IP address.

What do I need to Request from my ISP / Domain Host?

Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;

[box]

Ref: Domain name xyz-company.com

Please can you arrange for my www record to point to 234.234.234.234

Signed
{Someone your ISP has on record}

[/box]

Setting up DNS Records for a Email Server (A, MX, PTR and SPF Records)

I’m not bothered how it works, what do I need to send to my ISP?

1. Just as above your mail server(s) will need an “A Record“, I’m going to create two (just to demonstrate mail preferences later on), one for mail.petenetlive.com and the other for mail2.petenetlive.com

2. Now, you need an MX (Mail Exchange) Record that points to the A Record(s) you created earlier, you can set them with preferences.

What are MX Record Preferences

If you have multiple mail servers, or a backup mail system you can create as many MX Records as you like, by default mail will be sent to the LOWEST preference first, if that IP address is offline or unreachable it will try the NEXT HIGHEST preference.

Testing your MX Records

As above I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for to MX, before I issue my query.

Note: Helpfully it also shows you the correct A Records as well.

3. Though not essential to get your mail, you should also have a PTR (Pointer) record(s) set up as well. These work the opposite way round to an A Record. An A Record converts a name into an IP address, a PTR Record converts an IP address back to the name again.

Why Do I Need PTR Records?

With the explosion in the amount of spam being sent, people have sought a system that will cut it down. So some email systems (famously Hotmail) started doing reverse lookups on incoming mail, they lookup the address that is sending them mail (THAT WOULD BE YOU) and if it does not resolve back to the domain name of the email being sent they drop the mail (This is called a Reverse Lookup Failure). So without PTR records you may find you cannot email some domains. If your ISP cannot provide PTR records you may need to ask if you can route your mail through your ISP’s “Smart Host”.

Testing your PTR Records

As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for PTR records, before I issue my query.

4. The last type of record you MAY need is an SPF (Sender Policy Framework) Record. They are designed so you can list your mail servers and domains in a special record (either a text record or a DNS option 99 record). They are designed to cut down spam, but to be honest YOU ONLY NEED ONE IF you have some external entity that sends mail that comes from your email addresses (i.e. your web hosted CRM system).

How do I create an SPF Record?

An SPF Record is just some text (see above), the simplest way to work out what you need in yours, is to use this wizard.

Testing your PTR Records

As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for TXT records, before I issue my query.

Note: This is also a great online checking tool.

What do I need to Request from my ISP / Domain Host?

Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;

[box]

Ref: Domain name xyz-company.com

Please can you arrange for the following records to be created;.

A/Host Record for mail.xyz-company.com to point to 234.234.234.234
MX Record (Preference 10) that points to mail.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com

Signed
{Someone your ISP has on record}

[/box]

Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234, and a backup mail server at your secondary site that has an IP address off 333.333.333.333. The following should suffice;

[box]

Ref: Domain name xyz-company.com

Please can you arrange for the following records to be created;.

A/Host Record for mail.xyz-company.com to point to 234.234.234.234
A/Host Record for mail2.xyz-company.com to point to 333.333.333.333
MX Record (Preference 10) that points to mail.xyz-company.com
MX Record (Preference 20) that points to mail2.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com
PTR Record that points 333.333.333.333 to mail2.xyz-company.com

Signed
{Someone your ISP has on record}

[/box]

Related Articles, References, Credits, or External Links

NA

 

CentOS BIND DNS Not Responding To DNS Queries

KB ID 0000906 

Problem

While moving my DNS records from my old hosting company, I finally got round to pointing my domain name server records at my own server. I then saw my web traffic nose dive! Some troubleshooting steps later I realised I could not connect to my server on TCP port 53 (use an online port scanner to test yours).

Solution

Allow Access to DNS BIND From Remote Clients

1. Firstly let’s make sure that the firewall is not blocking DNS (Note: I’m using iptables).

[box]iptables -A INPUT -p udp -m state –state NEW –dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW –dport 53 -j ACCEPT
service iptables save
service iptables restart[/box]

2. Still mine refused to work! I had to edit the named.conf file

[box] nano /etc/named.conf[/box]

3. Mine was set to only respond to 127.0.0.1, and only return localhost.

Before

After

4. Then restart the DNSBIND service.

[box] service named restart[/box]

Related Articles, References, Credits, or External Links

NA