Using a KMS Server

KB ID 0000582

Problem

Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”

I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).

1. Locate your “Windows Server 2008 Std/Ent KMS B” Key > From command line issue the following command;

[box]

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

[/box]

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

3. Now we need to activate the Windows Server > Run the following command;

[box]

c:\Windows\System32\slui.exe

[/box]

Select “Activate Windows online now” > Follow the on screen prompts.

4. When complete, it should tell you that it was successfully activated.

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

2. From your client machines you can test that they can see the SRV record, by running the following command;

[box]

nslookup -type=srv _vlmcs._tcp

[/box]

Note: If this fails, can your client see the DNS server? And is it in the domain?

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

[box]

cscript c:\Windows\System32\slmgr.vbs /dli

[/box]

4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

[box]

cd c:\windows\system32
slmgr /dli

[/box]

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the “Microsoft Office 2010 KMS Host License Pack“.

3. When prompted type/paste in your “Office 2010 Suites and Apps KMS” product key > OK.

4. It should accept the key.

5. Press {Enter} to close.

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com 
cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /act 

[/box]

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /act [/box]

Related Articles, References, Credits, or External Links

KMS Activation – Error: 0xC004C008

WSUS Install Error on Windows Server

KB ID 0000295 

Problem

When you try and install WSUS (Windows Update Services 3.0 SP1) onto Windows Server 2008 R2 you see the following error,

Error:
This program is blocked due to compatibility issues
Check online to see if solutions are available from the Microsoft website. If solutions are found, 
Windows will automatically display a website that lists steps you can take.
Program: Windows Server Update Services
Publisher: Microsoft
Location c:{huge hex number}WusSetup.exe

Solution

WSUS 3.0 SP1 is NOT supported on Windows Server 2008 R2, you need to download and install WSUS 3.0 SP2 from here.

Related Articles, References, Credits, or External Links

NA

Windows 7 – Cannot Install Service Pack 1Windows Server 2008 R2 – Cannot Install Service Pack 1

KB ID 0000408 

Problem

It’s the same service pack for both products (in case you were wondering about the title).

Service Pack 1 has been out for a just over a week now, so we have had enough time to see any glitches and problems.

Solution

Errors:

If your update fails with error 8007f0f4 or FFFFFFFF this has been attributed to malware click here.

If your update fails with error 0x800f0a12

Press Start > Run > cmd {enter} > Run > the following two commands.

[box]diskpart auto mount enable[/box]

Then reboot (If the problem persists click here.)

If those are not applicable..

1. Make sure Windows Update is actually working on your PC, it may have not been updating for a while click here.

2. Make sure you are Virus/Malware free – if (as illustrated) you are running Microsoft Security Essentials ensure you are running the latest version, earlier versions have caused problems with SP1.

3. Make sure you do not have the pre-release version of Service Pack 1 installed. Click Start > right click Computer > properties, (or run winver.)

Look for “Service Pack 1” If it says version 531 or version 720 you will need to uninstall this first, If it says version 721 then Service Pack 1 is already installed. (source).

To uninstall the pre release version, click Start > appwiz.cpl {enter}

Click “View installed updates”

Locate Service Pack for Microsoft Windows (KB976932) and uninstall it.

Note: If the update is “grayed out” then the uninstall information for that update is not on the computer. If Service Pack 1 was installed when you got the computer you have no option but to wipe and reinstall Windows7. If you you performed a disk cleanup and ticked remove service pack backup files….

You will also need to wipe and reinstall Windows – sorry 🙁

4. You may also cure your install problems by running the system file checker. Click Start > type in cmd > Right click the cmd program and select “Run as Administrator” > when the command window opens run the following command.

[box]sfc /scannow[/box]

5. Run the System Update Readiness Tool, all being well it should look like nothing has happened when it’s been installed, it creates a log file (called CheckSUR) at the following location:

[box]C:WindowsLogsCBS[/box]

6. Finally retry installing Service Pack 1 > Start > Windows Update > Locate SP1 > tick for installation > OK.

Other Known Problems

Windows 7

You may need to install these two updates before you can see the Service Pack 1 update.

http://support.microsoft.com/kb/2454826 http://support.microsoft.com/kb/976902

Windows Server 2008 R2

If you have any of the following hotfixes installed, you need to update them.

http://support.microsoft.com/kb/983534 http://support.microsoft.com/kb/979350 http://support.microsoft.com/kb/2406705  

Related Articles, References, Credits, or External Links

NA

Error Adding Office KMS Keys “0x80072F8F”

KB ID 0000584 

Problem

Seen when adding an Office 2010 KMS key on a Windows 2008 R2 KMS Server.

Note: Using the Microsoft Office 2010 KMS Host License pack as per this article.

An error occurred: 0x80072F8F
To display the error text run the following:
slui.exe 0x2a 0x80072F8F

Solution

1. If you do run the command that they have asked you to, all you get is;

Code:
0x80072F8F
Description:
A Security error occurred

2. Not very helpful, however some Google searching turned up the solution. Check the time on the KMS server is correct, mine was way out.

Note: This had happened because the domain controller was on an ESXi host with the incorrect time, the KMS server took its time from the domain controller when it booted. (Domain clients typically take their time from the DC holding the PDC emulator role).

Locate your FSMO Role Servers

3. With the time fixed, try once again, and you should be successful.

Related Articles, References, Credits, or External Links

Using KMS Server for Windows Server 2008 R2, Windows 7, and Office 2010

Office 2010 – Find your Version and Licensing Information

Activation Error: Code 0x8007232b DNS Name does not exist

 

Deploying Exchange 2013

Part Two – Prerequisites for Windows Server 2008 R2

KB ID 0000717

Problem

Originally I was just going to write a ‘Prerequisite for Exchange 2013’ article, but the needs of Windows Server 2008 R2 are so much greater than those of Windows Server 2012, I split them up. With that in mind, Id suggest you use Window s server 2012 rather than 2008 R2. (It will be supported for longer).

But if you are determined read on.

Solution

Planning ‘Time spent on reconnaissance is seldom wasted’

If you are going to deploy Exchange 2013 within your organisation, then you either already have Exchange (or another mail server product), or it’s a ‘Greenfield Site’.

You already have Exchange

Coexistence with Exchange 2003 is not supported, before you consider bringing in Exchange 2013, you will need to migrate to Exchange 2010, (a migration to Exchange 2007 would also work, but Exchange 2010 would be more sensible). Exchange 2013 Server can coexist in the same Exchange environment with both Exchange 2007 and Exchange 2010.

Exchange 2003 to 2010 Transition “Swing Migration”

Make Sure you have the DVD or ISO file for Exchange 2013, you don’t want to download a 3.5GB File at a clients site through a slow ADSL Link! Also the prerequisite software is pretty big, get all that burned to disk, or on a USB Drive before you start.

Software Requirements

Well we are installing on Server 2008 R2 (Standard/Enterprise or Datacenter, though if you plan to deploy this server as part of a DAG Group, it needs to be Enterprise/Datacenter), so what else would you need to worry about? How about backup software? Does your current backup solution support Exchange 2013? Also check with your anti-virus/antispam vendor that 2013 wont be a problem. Do you have any mail archiving software, custom email signature software etc? Take a good look at the software packages in your existing mail system to make sure.

Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.

  • Outlook 2013.
  • Outlook 2010 (With SP1 and this update).
  • Outlook 2007 (With SP3 and this update).
  • Outlook for Mac 2011.
  • Entourage 2008 for Mac, Web Services Edition.

Hardware Requirements

1. CPU: As you’re planning on deploying with Windows Server 2008 R2 you will already have a server with an x64 bit CPU to deploy Exchange 2013 on, though IA64 is NOT supported.

2. RAM: This is dependent on what roles the server will have, for a Client Access Server the recommendation is 4GB, for a Mailbox Server it’s 8GB. And if the server will hold both roles the figure remains at 8GB. Though if I were deploying an Exchange 2013 Server in anger I would start at 12GB for a small (less than 80 mailbox’s) deployment and work upwards.

3. Disk Space: The drive which will hold the Exchange program files needs 30GB free space (that seems like a lot!) then there are some smaller figures you need to add up,

500MB per Universal Massaging Pack Language you are going to deploy.
200MB free on the servers system (OS) drive.
500MB free on the drive that will house the message queue database.

If the server will be a Mailbox server then it will need sufficient room to store the mailbox/public folder databases.

4. DVDROM Drive: Actually this is not really a requirement, but I’m mentioning it because a few modern servers ship without DVDROM drives now. You don’t want to go to site with a disk and look like a clown! Exchange 2013 will deploy quite happily from an ISO image. (If in doubt use 7ZIP to extract the ISO to a folder, and take that with you).

Pre Deployment – Environment

1. The Windows 2008 R2 server should be at least SP1. (If in doubt, Windows Key+R > winver {enter}).

2. Your forest functional level should be at least Windows Server 2003. To see your forest functional level, Windows Key > Active Directory Domains and Trusts > Action > Raise Forest Functional Level.

3. The domain controller that is holding the Schema Master FSMO role in your domain, needs to be at least Windows Server 2003 SP2. To see which server is the schema master server, run the following command;

[box]netdom query /domain:YOURDOMAINNAME fsmo[/box]

Note: In this example, I’m on a standalone server, that’s also a domain controller (not recommended for production environments!). In a live environment you may need to plan in some downtime to update the schema master.

4. The server you are deploying on, must already be a member of your domain.

5. Run Windows Update, and make sure the server is fully up to date.

6. You will need to install both .Net 4.5 and Windows Management Framework 3.0 (That’s new WMI and Powershell 3 in case you were wondering), and Windows Management Framework 3.0. (Note: you need the Windows6.1-KB2506143-x64 version).

Note: These two pieces of software are needed on the server that will prepare the Active Directory, so they are not strictly prerequisites for Exchange 2013.

7. The Exchange 2013 Server needs the AD DS (RSAT) administration tools installing. To do that simply run the following command;

[box]Add-WindowsFeature RSAT-ADDS[/box]

Note: If you skipped step 6 then you will see the following error;

The term ‘Add-WindowsFeature’ is not recognized as the name of a cmdlet function, script file, or operable program.

Pre Deployment – Roles Required

Like previous versions of Exchange, you need to add certain roles to the server before you can install the product. Which roles you need, depend on whether you are deploying a server with the client access server role, or the mailbox server role (Note: if the server will hold BOTH roles, then the roles for mailbox server will cover both.)

Mailbox Server (Or Mailbox Server with Client Access Sever) – Roles Required

1. Issue the following PowerShell command;

[box]Import-Module ServerManager[/box]

2. Issue the following PowerShell command;

[box]Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI [/box]

2. After running this command you may need to reboot.

3. Once complete you need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

4. Then install the Microsoft Office 2010 Filter Pack 64 bit

5. Then install the Microsoft Office 2010 Filter Pack SP1 64 bit

Note: At time of writing there is no Office 2013 Filter pack. I suspect that when it is released, it will need installing instead of the Office 2010 version, (that’s what happened with Exchange 2010 anyway).

6. Then install the Windows Identity Foundation (KB974405). Note: Download Windows6.1-KB974405-x64.msu

7. Then install the Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008). Note: This update requires a reboot.

8. Then install the Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution). If you are fully up to date you may find that this update will not be applicable to your system, and you will see the following popup.

Client Access Server Only – Roles Required

The only difference for a server running the Client Access Role is that .Net 4.5 and the WindowsManagement Framework are not requirements. However if you have been following all the steps you will already have them installed. And having them installed will cause you no problems. So, follow all the same steps, and install all the roles and software that is required for the ‘Mailbox/Combined Mailbox and Client Access Server’.

Related Articles, References, Credits, or External Links

Deploying Exchange 2013 – Part One – Prerequisites for Windows Server 2012

Deploying Exchange 2013 – Part Three – Deploying Exchange 2013 On a ‘Greenfield Site’