Active Directory-based activation. How it works with subdomains/child domains?

2020-12-14T08:46:42.087+00:00

Hello everyone! I am planning to deploy ADBA in a forest with multiple domains. There is a root domain and a subdomain. The forest is geographically dispersed. Each location has a root domain controller. Schema Version 2012R2. How to properly deploy ADBA? In which domain should I deploy to? ADBA uses Active Directory client-server communication ports https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN Does ADBA use all ports from the list or are several (which ones?) enough? Where will the server or client OS from the domain child-domain2.child-domain1.root.com get the activation object after deployment and reboot? I see this https://social.msdn.microsoft.com/Forums/en-US/a636d389-d947-4843-833f-3da52d0dd2d0/best-practice-for-volume-licensing-with-child-domains?forum=winserver8gen but this solution about KMS and DNS, not about ADBA. Thank you!

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,527 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,843 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,291 Reputation points Microsoft Vendor
    2020-12-15T03:44:13.077+00:00

    Hi,
    Active Directory-Based Activatio is forest wide,to use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. But no need to have a KMS host for every (child) domain.
    You can deploy it on the parent domain or the parent domain.
    Just make sure that the SRV record for the KMS host was added on the DNS server in the child or parent domain .
    For your reference:
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/active-directory-based-activation-vs-key-management-services/ba-p/256016

    Since AD-Based Activation uses AD, we use LDAP instead of the RPC 1688 tcp port used with KMS.
    For your reference:
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/active-directory-based-activation-vs-key-management-services/ba-p/256016

    Best Regards,

    0 comments No comments

  2. 2020-12-15T10:38:59.037+00:00

    The Domain Controller, in witch I deploy Volume Activation Services will be a KMS Host for SRV record in child domains?
    Question: Does ADBA use KMS host to activate operating systems?
    I understand correctly that the SRV record should be like this:
    Service name: _ldap
    Protocol: TCP
    Domain in which service is to be available: <your child domain>
    Time-to-live: 3600 seconds (recommended by Microsoft)
    Record type: SRV
    DNS priority: 0
    DNS weight: 100
    Service port number: 389
    Hostname: FQDN of your KMS Server (NOTE: Append the dot at the end of FQDN)

    will such a setting lead to the direction of all LDAP requests of the child domain to the domain controller with the role Volume Activation Services

    0 comments No comments

  3. Fan Fan 15,291 Reputation points Microsoft Vendor
    2020-12-16T04:14:40.86+00:00

    Hi,
    Active Directory-based Activation uses commonly used Active Directory client-server communication ports. Please refer to the following link:
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

    Based on my understanding , you can just confirm the DNS server if there are the records for the kms host. Normally, if the forest is health, no additional operations needed.
    ADBA stores its activation objects under configuration partition within Active Directory. So it replicates with the forest. This means as long as a client can contact with Active Directory, that client can be activated by receiving the activation object from a DC .No necessary to contact to the specific KMS server.

    But if there are clients with versions ADBA not supported, the client need to contact tot the KMS server.

    For more details about the process, you can refer to :
    https://learn.microsoft.com/en-us/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client#see-also

    Best Regards,