ADBA setup in a diverse Forested domain, can the child DCs activate the workstation vs opening access to the Forest top level DCs?

F Silver 1 Reputation point
2022-02-04T13:31:39.167+00:00

With a geographically diverse domain structure we are looking to avoid opening the firewalls through to the Forest DC's and use the Child DCs to activate our end units. We have the AO in the domain and it is replicated to the child DC's but activation will not happen unless the workstation has access to the Forest. This seems counter to the notion of replication and the documentation that states any DC can and does support Activation. What step have we missed?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,738 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 39,741 Reputation points
    2022-02-11T08:49:02.203+00:00

    Hello

    Thank you for your question and reaching out.

    I can understand you wish some more information about ADBA activation.

    Active Directory-Based Activation is forest wide,to use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.

    Just make sure that the SRV record for the KMS host was added on the DNS server in the child or parent domain .

    ADBA stores its activation objects under configuration partition within Active Directory. So it replicates with the forest. This means as long as a client can contact with Active Directory, that client can be activated by receiving the activation object from a DC.

    To solve this problem we manually added the SRV record for the KMS host in the child domain to the DNS Servers in the forest root. This allowed new servers in the forest root to be registered and activated correct using the a KMS key.

    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/active-directory-based-activation-vs-key-management-services/ba-p/256016


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. F Silver 1 Reputation point
    2022-02-11T15:20:04.863+00:00

    This is not an answer, but the site will not let me comment on my post or LimitlessTechnology-2700's post so this is my only option. There are no KMS servers anywhere in this setup. Everything will be dependent on Active Directory Based Activation (ADBA). The ADBA setup and activation was accomplished, and the Activation Objects (AO) can be seen throughout the Forest DCs and all Child DCs. How do we get the Child DCs to activate computers as they join the child domain without opening the firewall to the Forest DCs!? The expectation is all DCs Forest level or Child level should be able to activate since they all have the AO replicated to them. Is the suggestion to put KMS records in DNS pointing to the Child DCs as if they were KMS servers?

    0 comments No comments

  3. F Silver 1 Reputation point
    2022-09-19T12:09:57.213+00:00

    In an attempt to put a stop to the notion that "Any DC" can authorize once ADbA is setup; know this about a Forest setup of ADbA where it is instantiated at the Forest Root. - The clients from the entire structure, lowest domain level to the Forest root, "per the current design and code implementation", will need ongoing access to the Forest Root DCs using CLDAP UDP port 389 to activate and stay activated.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.