These days I took a swing at some clean-up I had to do in our KMS servers list. In any large environment you are bound to find some configurations you either did not put in place (there is usually more than 1 person managing it) or put in place for testing and forgot to remove them. I’m mainly referring to KMS servers that may have once been used to activate Windows licenses, or people have attempted to set them up that way (but failed for one or more reasons). You might have this problem too in your environment, and not know about it. Usually any “rogue” or unauthorized KMS servers also publish their KMS service in DNS. This means that when a client tries to activate it will pick one of the servers that offer the _VLMCS service (license activation) in the _TCP node of the DNS suffixes he has configured or his own domain name. By default all KMS hosts publish their Service Record with equal priority and weight, so with few KMS hosts, there’s a high chance you will get sent to the wrong/rogue KMS. If the client picks the correct KMS host, all is well with the world, if not, they get an error and you get an unneeded support call that users can’t activate their Windows.
To fix this you should first find the rogue KMS hosts. Since the information is published in your DNS, this nslookup query should reveal your servers:
1
| nslookup -q=srv _vlmcs._tcp.contoso.com |
Run this for all your subdomain’s fqdn to list all servers. A sample output would be this:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
| Server: dc1.contoso.comAddress: 192.100.5.10_vlmcs._tcp.contoso.com SRV service location: priority = 0 weight = 0 port = 1688 svr hostname = KMS01.contoso.com_vlmcs._tcp.contoso.com SRV service location: priority = 0 weight = 0 port = 1688 svr hostname = John-Desktop.contoso.comKMS01.contoso.com internet address = 192.41.5.4John-Desktop.contoso.com internet address = 192.20.50.20 |
As you see, we have 2 KMS host entries, one seems valid, the other looks like someone attempted to activate his PC the wrong way and ended up publishing KMS service records in DNS. Here’s how to remove this, for good. Some of the steps are taken from technet documentation, some are from social.technet site.
- Login/RDP/PSEXEC to the affected host (John-Desktop) and uninstall KMS product key. To do this, run this from an elevated command prompt:
1
| cscript %windir%\system32\slmgr.vbs /upk |
- Install the default KMS client key, found here:
1
| cscript %windir%\system32\slmgr.vbs /IPK [KMS client Setup Key]" |
- Activate the computer as a client using the command below. In our case it would go to the KMS01.constoso.com host
1
| cscript %windir%\system32\slmgr.vbs /ato" |
- Now you should stop this record from being published in DNS. You guessed it, just because you uninstalled the KMS host key and put in the client Key doesn’t mean he stopped advertising KMS in DNS. If you are running Windows 2008 R2, slmgr.vbs has a switch which does this for you:
1
| cscript %windir%\system32\slmgr.vbs /cdns" |
Important Note: If you are running Windows 2008 not Windows 2008 R2 there is no /cdns switch. Also you cannot run slmgr.vbs from a 2008 R2 box over the 2008 machine with that switch, it will say the something like this:
1
2
3
4
| Microsoft (R) Windows Script Host Version 5.8Copyright (C) Microsoft Corporation. All rights reserved.The remote machine does not support this version of SLMgr.vbs |
This is also a good “failsafe” command in case the /cdns switch didn’t work for Windows 2008 R2. Changing this registry key worked for me, other people suggested other fixes (here) but along the same lines, I didn’t test them. You need to run this command from an elevated command prompt:
1
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL" /v DisableDnsPublishing /t REG_DWORD /d 1 |
- Stop and Start the Software Licensing Service:
1
2
3
| net stop SLSVCnet start SLSVC |
Update: If running Windows 2008 R2 you should look at restarting Software Protection Service
1
2
3
| net stop "Software Protection"net start "Software Protection" |
- Remove the _vlmcs KMS service record for John-Desktop from the contoso.com _tcp node. You can do this via dnsmgmt.msc console
That’s about it, Hope someone finds this one useful. Any comments are welcome.
No comments:
Post a Comment