Configuring DNS

The following sections describe concepts for configuring DNS to work with Volume Activation:

  • If more than one KMS host is used, see the section “Change the Default DNS Permissions for SRV Records.”

  • To enable KMS clients using different DNS servers to find KMS hosts, see the section “Publish to Multiple DNS Domains.”

  • To manually add SRV resource records for KMS hosts, see the sections “Manually Create SRV Records in DNS,” “Manually Create SRV Records in a BIND 8.2 or Higher DNS Server,” and “Disable Publishing of KMS SRV Records to DNS.”

Note   DNS changes may not be reflected until all DNS servers have been replicated.

Change the Default DNS Permissions for SRV Records

If you are using only one KMS host, you might not need to configure permissions in DNS. The default behavior is to allow a computer to create an SRV resource record and then update it. However, if you have more than one KMS host (the usual case), the other hosts will be unable to update the SRV resource record unless SRV default permissions are changed.

The following high-level procedure is an example from Microsoft’s own environment. It does not give detailed steps, which might be different from one organization to another, and it is not the only way to achieve the desired result:

  1. Create a global security group in Active Directory® that will be used for your KMS hosts. An example is Key Management Service Group.

  2. Add each of your KMS hosts to this group. They must all be joined to the same domain.

  3. Once the first KMS host is created, it will create the original SRV record. If the first KMS host is unable to create the SRV resource record, it may be because your organization has changed the default permissions. In this case, manually create the SRV resource record as the section “Manually Create SRV Records in DNS” describes.

  4. Set the permissions for the SRV group to allow updates by members of the global security group.

Note   A domain administrator can delegate the ability to carry out the preceding steps to administrators in the organization. To do so, create a security group in Active Directory, give that group permission to change the SRV records, and then add the delegates.

Publish to Multiple DNS Domains

By default, the KMS host is registered only in the DNS domain to which the host belongs. If the network environment has only one DNS domain, no further action is required.

If there is more than one DNS domain name, a list of DNS domains can be created for a KMS host to use when publishing its SRV RR. Setting this registry value suspends the KMS host’s default behavior of publishing only in the domain specified as the Primary DNS Suffix.

Optionally, add priority and weight parameters to the DnsDomainPublishList registry value for KMS. This feature enables an administrator to establish KMS host priority groupings and weighting within each group to define which KMS host to try first and balance traffic among multiple KMS hosts.

Note   DNS changes might not be reflected until all DNS servers have been replicated. Changes made too frequently (time < replication time) can leave older records if the change is performed on a server that has not been replicated.

To automatically publish KMS in multiple DNS domains, add each DNS domain suffix to whichever KMS should publish to the multi-string registry value DnsDomainPublishList in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform. After changing the value, restart the Software Licensing Service to create the SRV RRs.

Note   This key has changed from the Windows Vista® location of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL.

After configuring a KMS host to publish to multiple domains, export the registry key, and then import it in to the registry on additional KMS hosts. To verify that this procedure was successful, check the Application event log on each KMS host. Event ID 12294 indicates that the KMS host successfully created the SRV RRs. Event ID 12293 indicates that the attempt to create the SRV RRs was unsuccessful. For a complete list of error codes, see the Volume Activation Operations Guide.

Manually Create SRV Records in DNS

If the environment does not support DDNS, the SRV RRs must be manually created to publish the KMS host. Environments that do not support DDNS should disable publishing on all KMS hosts to prevent event logs from collecting failed DNS publishing events. To disable auto-publishing, use the Slmgr.vbs script with the /cdns command-line option. See the “Configuring KMS” section for more information about the Slmgr.vbs script.

Note   Manually created SRV RRs can coexist with SRV RRs that KMS hosts automatically publish in other domains as long as all records are maintained to prevent conflicts.

Using DNS Manager, in the appropriate forwarding lookup zone, create a new SRV RR using the appropriate information for the location. By default, KMS listens on TCP port 1688, and the service is _VLMCS. Table 2 contains example settings for a SRV RR.

Table 2   SRV Resource Record

Name

Setting

Service

_VLMCS

Protocol

_TCP

Port number

1688

Host offering the service

FQDN of KMS Host

Manually Create SRV Records in a BIND 8.2 or higher DNS Server

If the organization uses a non-Microsoft DNS server, the needed SRV RRs can be created as long as the DNS server is compliant with Berkeley Internet Name Domain (BIND) 8.2 or higher. When creating the record, include the information shown in Table 3. The Priority and Weight settings shown in Table 3 are only used by Windows 7 and Windows Server 2008 R2.

Table 3   SRV RR Information

Name

Setting

Name

_vlmcs._tcp

Type

SRV

Priority

0

Weight

0

Port

1688

Hostname

FQDN of KMS Host

To configure a BIND 8.2 or higher DNS server to support KMS auto-publishing, configure the BIND server to enable RR updates from KMS hosts. For example, add the following line to the zone definition in named.conf:

allow-update { any; };

Note   An allow-update statement can also be added in named.conf.options to allow DDNS for all zones hosted on this server.

Disable Publishing of KMS SRV Records to DNS

KMS hosts automatically publish their existence by creating SRV RRs in DNS. To disable automatic DNS publishing by a KMS host, use the Slmgr.vbs script with the /cdns command-line option.

Using the Slmgr.vbs script to disable automatic DNS publishing is preferred, but you can also perform this task by creating a new DWORD value called DisableDnsPublishing in the registry, and set its value to 1. This value is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform in the registry. To re-enable the default behavior for publishing of KMS SRV records to DNS, set the value to 0.