Thursday 26 May 2016

Configuring Active Directory Activation with KMS

Active Directory Activation makes it possible to store activation object within the Active Directory schema, therefore simplifying the management of licenses within a Windows-based infrastructure. Although in some environment Key Management Service (KMS) will probably still be required, as AD Activation is only supported on Windows 8/Server 2012 and above at this time. Traditionally KMS has been a nightmare service to manage due to it being managed entirely from the CLI. It looks like Microsoft are trying to move away from this with AD Activation being the replacement.
Please note - KMS and Active Directory Activation CAN be running simultaneously.
If you have a mixed environment with KMS & AD Activation the activation order is;
·        Active Directory-based Activation
·        KMS Activation
·        MAK Activation
There are not many requirements for Active Directory Activation, the only one is that you have at least one Domain Controller in your domain running Windows Server 2012 or later, this ensure the domain has the 2012 schema extensions. This should not be confused with the domain/forest functional levels.
Domain Controllers running older versions of Windows Server can still participate in AD Activation as the objects are replicated to the entire schema.
Install the Volume Activation Services (VAS) from Server Manager, it is a Server Role.

Once installed click VA Services, right click and select Volume Activation Tools.

Click Next on the Introduction to Volume Activation Services wizard pane.

Click Active Directory-Based Activation and click Next.

Paste in your KMS key into the Install your KMS Host Key dialog box. If you have to install multiple KMS keys, which you probably will as there are separate keys for Windows 8, Windows Server etc you must run through this part multiple times. When you do this the wizard writes to the AD schema.

The KMS Keys have to be validated by either phone or over the Internet. 

Once the wizard has completed you can check by using ADSI Edit open a connection to the Configuration Container. 

Expand CN=Configuration/CN=Services/CN=Microsoft SPP/CN=Activation Objections if you are running AD-based Activation for the first time this should now exist. If you have added multiple KMS keys there will be multiple entries in the CN=Activation Objects directory.

The Software Protection service on Windows looks for the AD-based Activation, to check if your devices are being activated by AD Activation restart and then run slmgr /dli