Resilient Key Management Services, Priority and Weighting, Publishing in Multiple Domains


I recently had to implement KMS and decided on a resilient KMS design with a primary and secondary KMS server. As per Microsoft recommendation a minimum of two KMS hosts are required for fail over. KMS does not need a dedicated server, so you can install it on an existing server, such as a Domain Controller, saving license costs.

All you need to do, to convert an existing server to a KMS server, is to replace it’s existing key with ‘slmgr -ipk NEWKEY’. Wait for the confirmation and then run ‘slmgr -ato’ to activate the new KMS key. You should get a ‘product successfully activated’ reply. Now we have two KMS hosts configured in Active Directory with the same priority and weighting.

To designate between the primary and secondary KMS server, the priority and weighting must be applied to the DNS records associated with each KMS host.

The priority field will determine which host is contacted first – clients always attempt to contact the host with the lowest priority. The weighting field is a load balancing mechanism for hosts with the same priority. As the KMS hosts will be configured as a primary and secondary, I’ve left the weighting value the same.

Additionally as I was using the same KMS servers in an environment with multiple domains, I required DNS records to be published in every domain. The easiest way to manage this is to use the ‘DnsDomainPublishList’ multi-string field. This will configure the KMS servers to automatically publish in multiple DNS domains and set the priority and weighting of each server.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\DnsDomainPublishList

Format: domain to publish in, priority, weighting

KMS Host

Registry Key

Multi String Value

String

Primary HKLM\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ DnsDomainPublishList xyz.com, 10, 100abc.xyz.com, 10, 100
Secondary HKLM\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ DnsDomainPublishList xyz.com, 20, 100abc.xyz.com, 20, 100

 And lastly dont forget to disable KMS client caching on each host with ‘slmgr.vbs /ckhc’. This will force a client to always use KMS auto discovery (query DNS) to determine which KMS host to activate with. If the primary KMS host if offline, the client will automatically activate with the secondary KMS host.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s