KMS isn’t so bad. It is of course on the way out, to be replaced by Active Directory-based Activation in Server 2012, but KMS will stick around until all of our Server 2008 R2 machines are out of production. Given that we still manage some Windows 2003 servers (if we must), I think it’s fair to assume we’ll still be using KMS well into the next decade.
One of our clients has an environment running KMS on Windows Server 2008 R2. In June of last year, they started deploying Windows Server 2012 R2 servers. The KMS server had previously been patched to support Server 2012 and 2012 R2 KMS clients. Because no one complained in June, I had assumed that someone had activated the proper key on the KMS server to support the new version.
In December, he reported that his newest servers weren’t activating properly.
Their two most recently deployed servers were reporting activation errors. I logged into one of the machines that was reporting activation errors and ran the trusty activation command:
… and got this gem back in response:
The Software Protection Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.
The first thing I do, naturally, was just to make sure my KMS server was in fact reachable from this machine. It was. Then, I started to dive into the rabbit-hole that is KMS troubleshooting:
- Ensure the domain _VLMCS DNS records are correct
- Ensure the Software Protection Service (sppsvc) is in fact running on the KMS server
- Ensure that the proper KMS key and channel (VOLUME_KMS_2012-R2 channel) shows up in the KMS server’s licensing (slmgr /dlv all)
- Double-check that MS KB2885698 is installed to add support for newer operating systems on a Windows 2008 R2 KMS host
At first blush, everything appeared to be fine. So then I refer back to the application event log, hoping against hope that the “additional information” wasn’t some weird circular reference. I found this error in the Windows Application log:
Source: Microsoft-Windows-Security-SPP Event ID: 8198 Description: License Activation (slui.exe) failed with the following error code: hr=0xC004F074
You can actually see the text of the slui.exe errors with a command like this, run on a Windows machine with a GUI (i.e., not Core):
slui.exe 0x2a 0xC004F074
Which pops up a helpful “An error has occurred” window, with an optional details pane that indeed reports the exact text of the error message that we started with.
So I’ve got a KMS server that looks just fine that my new servers are complaining about.
So what’s the problem?
It turns out that the KMS server was in fact missing the proper key.
The reason I overlooked this problem in step 3 of my troubleshooting above was that the KMS server output for that channel looked valid, but had a few problem indicators that I missed.
Name: Windows Server(R), ServerDatacenter edition Description: Windows Operating System - Windows Server(R), VOLUME_KMS_2012-R2 channel Activation ID: abcd1234-b123-ffff-9944-aabbccddeeff Application ID: 4321dcba-b123-ffff-9944-aabbccddeeff Extended PID: Installation ID: Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88342 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88343 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88345 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88344 This license is not in use. License Status: Unlicensed Remaining Windows rearm count: 3 Trusted time: 12/16/2015 3:05:50 PM Key Management Service is enabled on this machine Current count: 50 Listening on Port: 1688 DNS publishing enabled KMS priority: Normal Key Management Service cumulative requests received from clients Total requests received: 19755 Failed requests received: 1372 Requests with License Status Unlicensed: 0 Requests with License Status Licensed: 18065 Requests with License Status Initial grace period: 140 Requests with License Status License expired or Hardware out of tolerance: 76 Requests with License Status Non-genuine grace period: 0 Requests with License Status Notification: 102
So what’s wrong?
- The Extended PID and Installation ID fields are empty. These appear to be added when a successful activation for the key is completed.
- There’s no “Partial product key” line.
- The two (glaringly obvious in retrospect) lines that report “license not in use” and “Status: Unlicensed.”
I glossed over these initially because I assumed that this state was referring to the local machine’s usage of the key, or lack thereof, as it was Server 2008 R2. My assumption was supported by the very high number of “Requests with License Status Licensed”. Finally, Google searches regarding these lines was wholly inconclusive.
As a troubleshooting step, I asked my client for their 2012 R2 KMS key. I then installed the key and performed activation (slmgr /ipk <your key here>; slmgr /ato <your activation id here>). This of course solved the problem entirely, altered the output to fix all of the issues I described above, and allowed my downstream KMS clients to activate to their heart’s content.
It’s also worth noting that when I attempted to preform the activation of the proper channel before installing the key, slmgr gave back a cryptic, yet accurate error:
Error: product not found
In retrospect, also true! Might be more useful to say something like “the activation ID you’re attempting to activate doesn’t have a product key associated with it,” but that’s just one man’s opinion.