Overview
This document provides information for system administrators on the Microsoft Key Management Service (KMS) and the university's KMS server.
What Is KMS?
Beginning with Windows Vista and Windows Server 2008 products, Microsoft implemented the Key Management Service (KMS) for validating its Enterprise software. Future Enterprise products will also be KMS-capable.
KMS offers many advantages — especially to computer lab administrators — and must be used on any machine capable of connecting to a U-M KMS-served network. In the rare circumstances where this is not possible, system administrators may request a Multiple Activation Key (MAK). There is only one situation where you should use an MAK: the machine is located off-campus and is unlikely to connect to the campus network — even through a Virtual Private Network (VPN) — for at least 6 months.
KMS Server at U-M
A university-wide KMS server is available at no charge for university-owned workstations and servers. Co-hosted by Information and Technology Services (ITS), this secure service is reliable and redundant.
Warning For University-owned machines only: U-M policy prohibits using KMS on a personally-owned computer, even if it is used for university business and is running university-licensed software.
The server's addresses are:
-
mskms.umich.edu
-
141.211.21.99 141.211.76.100
We highly recommend U-M system administrators use this service to manage KMS-capable Microsoft Enterprise products deployed on university-owned computers. You should only consider running a separate KMS server under very rare circumstances.
Activating Products
AUTOMATIC: Microsoft KMS-capable products will automatically find the university-wide KMS server under either of the following conditions:
-
the machine is within the UMROOT domain.
-
uses a DNS server that includes an SRV record for the to-be-activated workstation.
MANUAL: You can manually set up KMS activation if the machine:
-
has an IP address within a university-owned subnet, including Virtual Private Network (VPN) connections
-
is able to use in- and outbound TCP port 1688 to access mskms.umich.edu.
Note Firewall? You only need to provide access to the U-M's network using either mskms.umich.edu, university subnets, or the KMS server's IP addresses. For those who use Virtual Firewall, you should be covered by a Global Rule, but please check with the service owners.
Appendix A: Manually Activating Machines
If the machine cannot be set up for automatic activation but meets the manual activation criteria noted in Activating Products, follow these steps:
-
From the Start menu, select All Programs then Accessories.
-
RIGHT-click Command Prompt and select Run as administrator.
-
In the User Account Control window, click Continue.
-
In the Command Prompt window, enter the commands appropriate for your product.
Note The first command points the activation to the U-M KMS server. The second command activates the workstation or server.Windows Vista and Server 2008 up to R1:
%windir%\system32\cscript slmgr.vbs -skms mskms.umich.edu
%windir%\system32\cscript slmgr.vbs -atoWindows 7 and Server 2008 R2 and later:
%windir%\system32\cscript slmgr.vbs /skms mskms.umich.edu
%windir%\system32\cscript slmgr.vbs /ato
Appendix B: Creating an SRV Record
Note In order for auto-discovery to work, the DNS domain corresponding to one or both of the following must contain the KMS SRV record:
-
The primary DNS suffix of the computer
-
The DNS domain name assigned by DHCP
To create an SRV record:
-
In the DNS server, open the Bind zone file.
-
Enter a line (SRV record) in the form of
_vlmcs._tcp.[your subdomain].umich.edu. 3600 IN SRV 0 100 1688 mskms.umich.edu
replacing [your subdomain] with the correct subdomain without the brackets. For example, at the School of Public Health, the line would look like
_vlmcs._tcp.sph.umich.edu. 3600 IN SRV 0 100 1688 mskms.umich.edu
Appendix C: Troubleshooting
You can fix most failed KMS activations by re-registering the software and then manually activating the machine.
-
From the Start menu, select All Programs then Accessories.
-
RIGHT-click Command Prompt and select Run as administrator.
-
In the User Account Control window, click Continue.
-
In the Command Prompt window, enter the command appropriate for your operating system.
Windows Vista and Server 2008 up to R1:
%windir%\system32\cscript slmgr.vbs -ipk MS Universal Product Key
Windows 7 and Server 2008 R2 and later:
%windir%\syswow64\cscript slmgr.vbs /ipk MS Universal Product Key
-
Proceed with step 4 of Appendix A: Manually Activating Machines.
Note Reduced Functionality Mode: If the machine you're attempting to recover is already in Reduced Functionality Mode, you'll need to use Internet Explorer to access the Command Prompt.
-
In Internet Explorer's Address Bar, enter C: and press the Enter key.
-
If you receive an Internet Explorer Security dialog box, click Allow.
-
In the Windows Explorer window, navigate to C:\Windows\System32.
-
RIGHT-click the cmd file and select Run as administrator.
-
Proceed to step 4 (Command Prompt) at the beginning of this troubleshooting section.
Microsoft maintains a Knowledgebase article on troubleshooting Volume Activation error codes that you might find helpful. However — for error code 0x800706BA: The RPC server is unavailable — the Microsoft-provided solution is incorrect. You should instead follow the re-registering the UPK and manually configuring steps at the beginning of this troubleshooting section.
Appendix D: Running Your Own KMS Server
The university provides — at no charge — a secure, reliable and redundant KMS server. We highly recommend you use this service.
In the following rare events, you may need to provide your own KMS server.
-
The cluster you want to activate:
-
is not located within the U-M networks.
-
cannot use the university's VPN.
-
-
A local firewall restricts access to mskms.umich.edu through in- and out-bound TCP port 1688.
CAVEATS
-
You must fully understand the terms and conditions of the university's Microsoft Enterprise Agreement.
-
Your KMS service must absolutely prevent machines and virtual machines not owned by the university to validate.
-
You must be prepared to accept personal legal liability and for that of U-M in the event your KMS service permits even one machine not owned by the university to illegally validate.