Recently I had to install a KMS server in an isolated DMZ environment that had no connection to the internet. We were previously using MAK keys and activating over the phone, this quickly became a hassle and a KMS solution was required. I have previously implemented KMS solutions before with no issues, but ran into issues creating an offline KMS server and then converting the existing MAK clients to KMS clients. One of the main issues was the inability to access online documentation in the isolated environment. Another issue was scattered documentation and piecing all the parts that I needed to implement the solution offline. So hopefully this article will help anyone who may have to go through this.
Offline KMS?
The first questions I had was, could I have an offline KMS host server that didn’t need to regularly contact Microsoft. The answer is yes. The KMS host server only needs to contact Microsoft once when you first activate the KMS host. Even better yet, if you activate the KMS host over the phone, your KMS server never needs to contact Microsoft. This satisfied my security concerns of keeping the network isolated.
Installing the KMS Host
The KMS host is the computer that will be providing activations to your clients. I chose to install the KMS Host on an existing 2008 R2 server as all the latest KMS software is already included with the OS.
You first need to obtain a KMS Host product key from Microsoft. Once you obtained the key, you need to install it from an elevated command prompt:
C:\Windows\System32\CSCRIPT SLMGR.VBS –IPK xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
You should receive a message indicating: Installed product key xxxxx-xxxxx-xxxxx-xxxxx-xxxxx successfully.
Once you have it installed, you will need to activate your server with Microsoft. If I were online with a connection to Microsoft, I would issue the following from an elevated command prompt:
C:\Windows\System32\CSCRIPT SLMGR.VBS –ato
Since I was offline, I needed to do this over the phone. To activate, I issued the following command to obtain the phone number and followed the remaining GUI activation process:
C:\Windows\System32\SLUI 4
I now have an activated KMS host.
Configuring the KMS Host
By default, the KMS server will attempt to communicate using port 1688. We wanted to change the default port. This is done on the KMS server by issuing the following command from and elevated command prompt:
C:\Windows\System32\CSCRIPT SLMGR.VBS –sprt 6188
You’ll get the following message:
Warning: a KMS reboot is needed for this change to take effect.
A KMS reboot just involves restarting the KMS service. This is done by issuing the following commands
Net Stop sppsvc
Net Start sppsvc
NOTE: Formerly this service was called slsvc. So replace sppsvc with slsvc if you are using a previous version of KMS.
Also since DNS publishing is enabled by default, the KMS SRV records will be updated with the new port number once the service is restarted.
Converting existing MAK clients to KMS clients
New OS clients by default assume they are KMS clients and will attempt to contact a KMS host via the SRV records, so no configuration is required. You can activate Windows normally via the GUI or by issuing the following command via an elevated command prompt:
C:\Windows\System32\CSCRIPT SLMGR.VBS –ato
Existing MAK clients will not attempt to contact a KMS server unless you change the product key back to the default setup product key. First obtain the correct setup product keys from Microsoft then issue the following command from an elevated command prompt:
C:\Windows\System32\CSCRIPT SLMGR.VBS –IPK xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
Once you’ve change the product key, you need to activate the OS via the following command via an elevated command prompt:
C:\Windows\System32\CSCRIPT SLMGR.VBS –ato
Windows should now activate itself via your KMS server. This is assuming that you have reached the respective minimums of 5 servers or 25 clients
Summary
I realized I glossed over many aspects of KMS. Normally KMS installs are quick and painless, but can become quite painful when you have to read through reams of documentation to find an answer to an issue they you may be having.
None the less, you should still read the appropriate documentation available here:
http://www.microsoft.com/downloads/details.aspx?familyid=9893F83E-C8A5-4475-B025-66C6B38B46E3&displaylang=en
Good luck and I hope I helped.