How to create a Key Management Services (KMS) activation host in Windows Server (2024)

Article
12/23/2021

KMS uses a client-server model to active Windows clients and is used for volume activation on your local network. KMS clients connect to a KMS server, called the KMS host, for activation. The KMS clients that a KMS host can activate are dependent on the host key used to activate the KMS host. This article walks you through the steps you need to create a KMS host. To learn more about KMS and the initial planning considerations, see Key Management Services (KMS) activation planning.

Prerequisites

A single KMS host can support an unlimited number of KMS clients. If you have more than 50 clients, we recommend that you have at least two KMS hosts in case one of your KMS hosts becomes unavailable. Most organizations can operate with as few as two KMS hosts for their entire infrastructure.

KMS hosts do not need to be dedicated servers, and KMS can be co-hosted with other services. You can run a KMS host on any physical or virtual system that is running a supported Windows Server or Windows client operating system.

The version of Windows you use for your KMS host determines the version of Windows you can activate for your KMS clients. Please see the table of activation versions to help you decide which is right for your environment.

By default, KMS hosts automatically publish SRV resource records in DNS. This enables KMS clients to automatically discover the KMS host and activate without the need for any configuration on the KMS client. Automatic publishing can be disabled and the records can be created manually, which is also necessary for automatic activation if the DNS service does not support dynamic updates.

You will need:

A computer running Windows Server or Windows. A KMS host running on a Windows Server operating system can activate computers running both server and client operating systems, however a KMS host running on a Windows client operating system can only activate computers also running client operating systems.
The user account you use must be a member of the Administrators group on the KMS host.
See Also
Troubleshoot Windows activation error codes - Windows Server Using KMS Manually to Activate Software | IT@Cornell Fortiguard Error 0xC004F074 when you activate Windows - Windows Server
A KMS host key for your organization. You can get this key from the Product Keys section of the Volume Licensing Service Center.

Install and configure a KMS host

From an elevated PowerShell session, run the following command to install the Volume Activation Services role:
```
Install-WindowsFeature -Name VolumeActivation -IncludeManagementTools
```
Configure the Windows Firewall to allow the Key Management Service to receive network traffic. You can allow this for any network profiles (default), or for any combination of Domain, Private, and Public network profiles. By default, a KMS host is configured to use TCP on port 1688. In the example below, the firewall rule is configured to allow network traffic for the Domain and Private network profiles only:
```
Set-NetFirewallRule -Name SPPSVC-In-TCP -Profile Domain,Private -Enabled True
```
Launch the Volume Activation Tools wizard by running:
```
vmw.exe
```
Select Next on the introduction screen. Select Key Management Service (KMS) as the activation type and enter localhost to configure the local server or the hostname of the server you want to configure.
Select Install your KMS host key and enter the product key for your organization, then select Commit.
Once the product key has been installed, you need to activate the product. Click Next.
Select the product you want to activate from the dropdown menu, then select whether you want to activate online or by phone. In this example, select Activate online and then Commit.
Once activation is successful, the KMS host configuration will be shown. If this is the configuration you want, you can select Close to exit the wizard. DNS records will be created and you can start activating KMS clients. See the section below if you need to manually create DNS records. If you want to change the configuration settings, select Next.
Optional: Change the configuration values based on your requirements and select Commit.
See Also
KMS Volume Activation error code 0x8007232B - Consult Circle

Note

You can now start activating KMS clients, however a network must have a minimum number of computers (called the activation threshold). KMS hosts count the number of recent connections and so when a client or server contacts the KMS host, the host adds the machine ID to its count and then returns the current count value in its response. The client or server will activate if the count is high enough. Windows clients will activate if the count is 25 or higher. Windows Server and volume editions of Microsoft Office products will activate if the count is five or greater. The KMS only counts unique connections from the past 30 days, and only stores the 50 most recent contacts.

Manually create DNS records

If your DNS service does not support dynamic update, the resource records must be manually created to publish the KMS host. Create DNS resource records for KMS manually with your DNS service using the information below (altering the default port number if you changed this in the KMS host configuration):

Property	Value
Type	SRV
Service/Name	_vlmcs
Protocol	_tcp
Priority	0
Weight	0
Port number	1688
Hostname	FQDN of the KMS host

You should also disable publishing on all KMS hosts if your DNS service does not support dynamic update to prevent event logs from collecting failed DNS publishing events.

Tip

Manually created resource records can also coexist with resource records that KMS hosts automatically publish in other domains as long as all records are maintained to prevent conflicts.

Disable publishing of DNS records

To disable publishing of DNS records by the KMS host:

Launch the Volume Activation Tools wizard by running:
```
vmw.exe
```
Select Next on the introduction screen. Select Key Management Service (KMS) as the activation type and enter localhost to configure the local server or the hostname of the server you want to configure.
Select Skip to Configuration, then select Next.
Uncheck the box for publish DNS records, then select Commit.

Sure, based on the content you provided, it's clear you're interested in Key Management Services (KMS) for Windows activation. KMS employs a client-server model where KMS clients connect to a designated KMS host for activation. Here are the key concepts touched upon in the article:

KMS Host: This refers to the server responsible for activating KMS clients. It's essential to have at least one KMS host within the infrastructure.
Activation Threshold: There's a minimum number of connections required for activation. For Windows clients, the count needs to be 25 or higher, while Windows Server and volume editions of Microsoft Office products require a count of five or greater.
DNS Records: By default, KMS hosts automatically publish SRV resource records in DNS, enabling KMS clients to discover and activate without additional configurations. However, manual creation of these DNS records may be necessary if dynamic updates are not supported by the DNS service.
Installation and Configuration: The process involves installing Volume Activation Services, configuring the Windows Firewall, installing the KMS host key obtained from the Volume Licensing Service Center, and using PowerShell commands for configuration.
Volume Activation Tools: These are used to initiate the activation process, select the activation type (KMS), input the KMS host details, install the KMS host key, and activate the product.
Disabling DNS Record Publishing: This is an optional step. If necessary, DNS record publishing by the KMS host can be disabled through the Volume Activation Tools wizard.

Understanding these concepts is crucial for setting up and managing KMS for Windows activation efficiently within an organization. If you have specific questions or need more detailed information on any of these aspects, feel free to ask!