none
Activating Windows with AD based activation isn't working

    Question

  • Hi all,

    This is a for a domain running exclusively Server 2012 R2 machines, set at the highest functional/forest levels.

    Most machines in this domain aren't able to access the internet, and as file servers, have no need to. I'm trying to activate Windows on them, and am trying to achieve this using AD based activation.

    I've installed the Volume Licensing service on the DC, configured our KMS key correctly, and can see the product key if I go slmgr.vbs /ao-list or look in ADSI edit. If I try and then activate against this key (slmgr.vbs /ad-activation-online 2X***-***...) then it fails with a time out error. I installed Wireshark to see what was happening, and it's trying to talk to the MS activation servers, which are being blocked, and killing the operation. The logged on user has rights over the Activation Object - not that it's even getting to that stage.

    My question is: why could it still be trying to activate against MS, and not using our AD-BA configuration?! Am I using the wrong command, or is something else weird happening?

    Thanks!

    Joe


    Wednesday, February 22, 2017 9:22 AM

All replies

  • Although reading further, it seems as though the slmgr.vbs /ad-activation-online command is just for pushing the product key into AD in the first place.

    In which case I'm even more at a loss as to how/why these VMs aren't activating if they don't need a separate command (as was my initial understanding)

    Wednesday, February 22, 2017 9:33 AM
  • Hi

    and it's trying to talk to the MS activation servers, which are being blocked >>> for Windows 7/2008 R2 and earlier, you’ll still need to maintain those old KMS hosts.so that's normall the old client try to reach kms.But for new OS like win 8.1 and win 10 they use ADBA,also you shouls use "Windows Srv 2012R2 DataCtr/Std KMS for Windows 10." licence,check the articles for details;

    https://support.microsoft.com/tr-tr/help/3086418/error-0xc004f015-when-you-try-to-activate-windows-10-enterprise-on-a-windows-server-2012-r2-and-windows-server-2008-r2-kms-host

    https://technet.microsoft.com/en-us/itpro/windows/deploy/activate-using-key-management-service-vamt

    https://blogs.technet.microsoft.com/askpfeplat/2013/02/04/active-directory-based-activation-vs-key-management-services/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, February 22, 2017 11:42 AM
  • Hi,

    Thanks, but I'm only using 2012 R2 for everything in this domain. There's no Windows 7, 8, 8.1, 10 or Server 2008 R2 or older. There never was a KMS server - this is the first time anyone's attempted to centralise activation on this domain. 

    My AD-BA server (one of the DCs) has the relevant two patches installed, and the key is hosted in AD correctly. Given it's an AD object and will replicate to all other DCs, I don't think the patch would be needed for AD-BA - I suspect that's only needed for KMS, although if Windows Updates pushed it to one server, the other 3 should have it too. (The guides don't mention needing the patch for ADBA, just KMS.)

    I don't think the problem is with the key itself, but with making the clients try and use that key. They keep trying to activate over the internet, and not using our internal servers.

    I've followed the guides as they say to do, and it's not working.

    Joe


    Thursday, February 23, 2017 12:39 PM
  • Hi Joe,
    Are there any event logs in the event viewer to offer more details?
    If the Active Directory object is unreachable, clients will attempt to use the next available activation method which is the KMS activation method. This means if the AD object is unreachable, the client will go check DNS for an SRV record for a KMS host. In this case, I would suggest to check if Software Protection service starts or not, ADBA takes place after the Software Protection service starts. When the Software Protection service starts, the computer contacts AD DS automatically, receives the activation object, and activates without user intervention.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 27, 2017 8:07 AM
    Moderator
  • Hi Joe,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 3, 2017 6:57 AM
    Moderator
  • Hi Wendy,

    Sorry for the delay in getting back to you - other things cropped up.

    I've looked at this some more, and it's working with freshly installed versions of Windows, but fails when I try and activate a machine deployed from one of our VM templates. So ADBA is working as expected, but the machines we have are problematic, so I need to look into that.

    Thanks for your help,

    Joe

    Wednesday, March 29, 2017 9:36 AM
  • Hi Joe,

    Did you ever find a fix for this? I'm running into the same issue with some of our 2016 servers.

    Thanks,

    Josh

    Friday, January 19, 2018 10:43 PM
  • Hi Josh,

    Yes, I did get it working in the end on both Server 2012 R2 + 2016.

    I don't know how your setup is working, but I found that if I installed Server straight from an ISO, then it would active correctly, but if I used one of our VMware templates, it wouldn't use ADBA properly. In the end, I simply recreated the template and it worked. Really not sure what the problem was with the template, but it's been fine ever since...

    Worth noting... I setup ADBA in a forest with three domains (blah.com, dfs.blah.com, users.blah.com, and servers in one of the child domains (dfs.blah.com + users.blah.com) need access to the domain root/parent (bhlah.com) in order for ADBA to work as it's a forest wide AD object, not just one domain. Not sure if that's a concern for you, but it caused me a sticking point at first until I got the firewall adjusted accordingly.

    Hope that helps/good luck!

    Joe

    Monday, January 22, 2018 8:29 AM