16 Nov 2011

MS KMS and publishing to additional Domains

MS KMS automatically publishes a SRV record to the DNS of it's local domain, which is ideal if there is a single AD forest/single domain configuration, but if instead there's a single AD forest with multiple domains then straight out of the box, a single KMS deployment isn't going to cut it.

Obviously, one or more KMS servers can be deployed in each domain in the forest but even with virtualisation that approach can become expensive, time consuming, complicated from a licensing compliancy perspective. Therefore I propose the following, configure the one (or two) KMS servers located in (maybe the forest root) to service the other domains too.

Once the KMS is configured and working, open Regedit.exe and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform

Create a new Multi-key Value and name it DnsDomainPublishList. Edit this new registry value and enter a list of the domains which the KMS is to publish to, one per line. (see below)



Once the entries have been made, restart the 'Software Protection' service.

In order for KMS aware clients to 'find' the KMS, it registers SRV records in DNS _VLMCS._TCP., confirmation that this has occurred can be found in the Application Event log on the KMS server with an Event ID of 12294, with the message;

Publishing the Key Management Service (KMS) to DNS in the fake.company.com' domain is successful.
If any 12293 Event IDs exist with

'Publishing the Key Management Service (KMS) to DNS in the 'fake.company.com' domain failed.
Info:
0x80072338

Check  the _tcp. for an existing _VLMCS SRV record, as a KMS may have already been unwittingly introduced to the environment.

No comments: