Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, February 12, 2019 5:47 AM
I would like to inquire if there's an article about KMS server hosted in Azure or how to set it up in Azure. We are exploring to put up a KMS host server in Azure for our desktop machines in regional offices (not connected in our network/IPVPN).
What are the requirements, if there’s any.
All replies (9)
Tuesday, February 12, 2019 2:00 PM ✅Answered | 1 vote
Hi Christian,
Here is the documentation which describes about "Configure a KMS host computer to activate volume licensed versions of Office" : https://docs.microsoft.com/en-us/deployoffice/vlactivation/configure-a-kms-host-computer-for-office
Regards,
Msrini
Friday, February 22, 2019 10:18 AM ✅Answered
Hi There,
As you have gone through official documentation. Meanwhile, I want to share with you a summary for the possible issues for further reference.
Issue Definition:
KMS activation of windows VM in VNET “example-azure-technet” all fails.
Root Cause Analyze:
- Azure use kms.core.windows.net:1688 as activation server, a VM must have outbound connection to the address to activate.
- You might have customized your VNET route table, where all Internet traffic goes to a particular IP like "10.23.42.223"
{
"Name": "default-route",
"RouteSource": "UserDefinedRoute",
"DestinationSubnets": [
{
"IPAddress": "0.0.0.0",
"Prefix": 0
}
],
"NextHopType": "IPV4_CA",
"NextHops": [
"10.23.42.223"
],
"IsEnabled": true
}
- The address kms.core.windows.net must be blocked on the virtual appliance 10.23.42.223 for outbound routing
Resolution:
#Option1
Enable outbound connection to kms.core.windows.net on 10.23.42.223 software setup, it could be a firewall, proxy, gateway etc..
#Option2
We used the 2<sup>nd</sup> option by adding a direct way to connecting to **kms.core.windows.net **on network route table.
The detailed steps include:
- Go to Azure portal> Route tables> select your route table> Routes> Add
- Add a new route with details
Route Name: KMS
Address Prefix: 23.102.135.246/32 (This is the IP of kms.core.windows.net )
Next, hop type: Internet
- Now the route is added to your VNET default route
- Next, we noticed that your VMs are automatically activated already with network connectivity resumed to KMS server.
- Also, you can run #cscript c:\windows\system32\slmgr.vbs /ato to manually activate the servers
Hope this helps, Happy Working J
If there’s any further questions, please feel free to let me know.
Cheers, Gourav Please remember to mark the replies as answers if it helped.
Thursday, April 4, 2019 6:20 PM ✅Answered
You can check this blog : https://blogs.technet.microsoft.com/hybridcloudbp/2016/01/29/windows-server-activation-best-practices/
Regards,
Msrini
Tuesday, February 12, 2019 10:30 PM
Thanks. Already setup a KMS host on-prem and it's working.
How about in Azure? Is it possible to setup a KMS host server where desktop machines outside our on-prem network can be activated? Is the process the same?
Wednesday, February 13, 2019 4:57 AM
I don't see any issue with deploying KMS host server on Azure. Make sure necessary ports are open in NSG.
If you face any issue, please let us know.
Regards,
Msrini
Monday, February 18, 2019 2:46 AM
Great, thank you!
How about the security? Is there a way when you type commands below, you will be prompted with credentials?
cscript c:\windows\system32\slmgr.vbs /skms <KMS client setup key>
cscript c:\windows\system32\slmgr.vbs /ato
Friday, February 22, 2019 5:58 AM
Hi Christian,
Azure has NSG to protect your VM which you can leverage. You can also use NVA's to inspect all the traffic which is passing via NVA.
Regarding your Application as such, you need to secure with custom code or scripts.
Regards,
Msrini
Thursday, April 4, 2019 6:11 PM
Are there best practices when putting up KMS server in Azure?
Thanks for the reply Guys. Appreciated a lot.
Monday, April 8, 2019 9:34 PM
Hi Msrini,
I already created VM in a test subcription in Azure. I am able to communicate to my VM from a public IP by opening ports 3899 and 1688 for RDP and KMS, respectively.
I can redirect a machine with a public IP using the script: cscript slmgr.vbs /skms xx.xxx.xx.xxx:1688 and from the vm server, the current count recorded 1 already via cscript slmgr.vbs /dli.
I'm not sure if my inbound rules are correct or in secured config as I am trying to allow connection to only specific public IP (source/destination) but it is not working. (Outbound rule: default config)
Thanks in advance.