Remove From My Forums

How to Security for KMS Server

Question
0

Sign in to vote

Hello

   I have some question about KMS Server .Please anyone help me

   1.How to report or command list all IP current active through KMS windows or office ?

   2.Current I see all User (admin PC client ) can active through KMS by command , how to security as want active must password or In server kms allow IP client then can active .

   3. If client active first time to KMS successful then when client will connect to KMS to check again ? I see some client notify license expire and need active again .does I must set command in scheduler to it is running command every day ?

4.If client active successful KMS1 then if server KMS1 failure Then it can active to KMS2 if use dns round robin

5. All client that active to KMS1 then if KMS1 failure then I can install new server and set the same IP and configure KMS again after that then Client will automatic active or I must running command active KMS every client

Thanks

Saturday, June 24, 2017 4:16 AM

Answers

0

Sign in to vote
Hello

   I have some question about KMS Server .Please anyone help me

   1.How to report or command list all IP current active through KMS windows or office ?

   2.Current I see all User (admin PC client ) can active through KMS by command , how to security as want active must password or In server kms allow IP client then can active .

   3. If client active first time to KMS successful then when client will connect to KMS to check again ? I see some client notify license expire and need active again .does I must set command in scheduler to it is running command every day ?

4.If client active successful KMS1 then if server KMS1 failure Then it can active to KMS2 if use dns round robin

5. All client that active to KMS1 then if KMS1 failure then I can install new server and set the same IP and configure KMS again after that then Client will automatic active or I must running command active KMS every client

Thanks

Hi,

(1) you can examine the Windows event logs upon the KMShost server, to see the hostname of the KMSclients contacting the KMShost. This article is helpful to understand the events generated: https://technet.microsoft.com/en-us/library/ee939272.aspx

(2) KMS is designed to be unrestricted. The sppsvc service runs upon the KMSclient computer and does not use any user identity/credential/password. It is possible to use 'server isolation' techniques, but it is complex to do that: https://technet.microsoft.com/en-us/library/cc723923(technet.10).aspx

Also note that restricting KMSclient from contacting KMShost, is not an effective method for controlling licensing. If a computer has a Volume License product (eg Windows or Office) installed, it does not matter if not activated, if the product is installed, it must be covered by a license, regardless if not-activated, a license is still required.

(3) When a KMSclient has successfully contacted a KMShost and successfully activated, by default, it will be 7 days before a renewal is attempted (unless you restart the KMSclient. At startup of a KMSclient, a renewal is attempted) https://technet.microsoft.com/en-us/library/dn502530.aspx

(4) Yes, you can implement KMS1 and KMS2. If you publish both KMS1 and KMS2 into your DNS, your KMSclients will auto-discover both/either KMS1/KMS2, and will automatically try both/either until success.

(5) If you publish both KMS1 and KMS2 into your DNS, your KMSclients will auto-discover both/either KMS1/KMS2, and will automatically try both/either until success. There is no need to "force" an activation - KMSclient is designed to auto-discover via DNS.

Don [doesn't work for MSFT, and they're probably glad about that ;]
- Edited by DonPick Saturday, June 24, 2017 6:15 AM
- Proposed as answer by Alvwan Monday, June 26, 2017 6:25 AM
- Marked as answer by Ngo Thanh Tien Saturday, July 1, 2017 4:01 AM
Saturday, June 24, 2017 6:13 AM
0

Sign in to vote
     6. how to configure kms auto discover for client auto active ?

   7. if configure kms auto discover then client must is member domain then can get auto kms active ?

   8. when then should be enable active directory based activation ? is all client member domain will auto active to kms ?



(6) In the Volume Activation Tools wizard, on Configuration page, enable Publish to DNS. KMSClients will auto-discover KMShost servername via DNS.

(7) for KMSclients, no need to be Domain member if using DNS Publishing

(8) ADBA, requires clients must be Domain members, ADBA will auto-activate Domain members.
Don [doesn't work for MSFT, and they're probably glad about that ;]
- Proposed as answer by Alvwan Tuesday, June 27, 2017 1:40 AM
- Marked as answer by Ngo Thanh Tien Saturday, July 1, 2017 4:00 AM
Monday, June 26, 2017 10:38 AM

All replies

0

Sign in to vote
Hello

   I have some question about KMS Server .Please anyone help me

   1.How to report or command list all IP current active through KMS windows or office ?

   2.Current I see all User (admin PC client ) can active through KMS by command , how to security as want active must password or In server kms allow IP client then can active .

   3. If client active first time to KMS successful then when client will connect to KMS to check again ? I see some client notify license expire and need active again .does I must set command in scheduler to it is running command every day ?

4.If client active successful KMS1 then if server KMS1 failure Then it can active to KMS2 if use dns round robin

5. All client that active to KMS1 then if KMS1 failure then I can install new server and set the same IP and configure KMS again after that then Client will automatic active or I must running command active KMS every client

Thanks

Hi,

(1) you can examine the Windows event logs upon the KMShost server, to see the hostname of the KMSclients contacting the KMShost. This article is helpful to understand the events generated: https://technet.microsoft.com/en-us/library/ee939272.aspx

(2) KMS is designed to be unrestricted. The sppsvc service runs upon the KMSclient computer and does not use any user identity/credential/password. It is possible to use 'server isolation' techniques, but it is complex to do that: https://technet.microsoft.com/en-us/library/cc723923(technet.10).aspx

Also note that restricting KMSclient from contacting KMShost, is not an effective method for controlling licensing. If a computer has a Volume License product (eg Windows or Office) installed, it does not matter if not activated, if the product is installed, it must be covered by a license, regardless if not-activated, a license is still required.

(3) When a KMSclient has successfully contacted a KMShost and successfully activated, by default, it will be 7 days before a renewal is attempted (unless you restart the KMSclient. At startup of a KMSclient, a renewal is attempted) https://technet.microsoft.com/en-us/library/dn502530.aspx

(4) Yes, you can implement KMS1 and KMS2. If you publish both KMS1 and KMS2 into your DNS, your KMSclients will auto-discover both/either KMS1/KMS2, and will automatically try both/either until success.

(5) If you publish both KMS1 and KMS2 into your DNS, your KMSclients will auto-discover both/either KMS1/KMS2, and will automatically try both/either until success. There is no need to "force" an activation - KMSclient is designed to auto-discover via DNS.

Don [doesn't work for MSFT, and they're probably glad about that ;]
- Edited by DonPick Saturday, June 24, 2017 6:15 AM
- Proposed as answer by Alvwan Monday, June 26, 2017 6:25 AM
- Marked as answer by Ngo Thanh Tien Saturday, July 1, 2017 4:01 AM
Saturday, June 24, 2017 6:13 AM
0

Sign in to vote

Hello

Thanks your question , I clear some my ask . I have another question

   6. how to configure kms auto discover for client auto active ?

   7. if configure kms auto discover then client must is member domain then can get auto kms active ?

   8. when then should be enable active directory based activation ? is all client member domain will auto active to kms ?

   Thanks

Monday, June 26, 2017 9:04 AM
0

Sign in to vote
     6. how to configure kms auto discover for client auto active ?

   7. if configure kms auto discover then client must is member domain then can get auto kms active ?

   8. when then should be enable active directory based activation ? is all client member domain will auto active to kms ?



(6) In the Volume Activation Tools wizard, on Configuration page, enable Publish to DNS. KMSClients will auto-discover KMShost servername via DNS.

(7) for KMSclients, no need to be Domain member if using DNS Publishing

(8) ADBA, requires clients must be Domain members, ADBA will auto-activate Domain members.
Don [doesn't work for MSFT, and they're probably glad about that ;]
- Proposed as answer by Alvwan Tuesday, June 27, 2017 1:40 AM
- Marked as answer by Ngo Thanh Tien Saturday, July 1, 2017 4:00 AM
Monday, June 26, 2017 10:38 AM
0

Sign in to vote

Thanks for all your support

Wednesday, June 28, 2017 12:42 AM
0

Sign in to vote

Hi,

If the replies as above are helpful, we would appreciate you to mark them as answers as it will be very beneficial for other community members who have similar questions.

Thanks for your cooperation.

Best Regards,

Alvin Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, June 28, 2017 2:30 AM
0

Sign in to vote

Thanks for all support

Thursday, July 6, 2017 11:47 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

How to Security for KMS Server

Question

Answers

All replies