ITS Documentation

Microsoft Key Management Service (KMS)
at the University of Michigan

S4362 • February 2015

This document provides information for system administrators on the Microsoft Key Management Service (KMS) and the university's KMS server.

Table of Contents

What Is KMS?

Beginning with Windows Vista and Windows Server 2008 products, Microsoft implemented the Key Management Service (KMS) for validating its Enterprise software. Future Enterprise products will also be KMS-capable.

KMS offers many advantages — especially to computer lab administrators — and must be used on any machine capable of connecting to a U-M KMS-served network. In the rare circumstances where this is not possible, system administrators may request a Multiple Activation Key (MAK). There is only one situation where you should use an MAK: the machine is located off-campus and is unlikely to connect to the campus network — even through a Virtual Private Network (VPN) — for at least 6 months.

KMS Server at U-M

A university-wide KMS server is available at no charge for university-owned workstations and servers. Co-hosted by Information and Technology Services (ITS), this secure service is reliable and redundant.

FOR UNIVERSITY-OWNED MACHINES ONLY: U-M policy prohibits using KMS on a personally-owned computer, even if it is used for university business and is running university-licensed software.

The server's addresses are:



We highly recommend U-M system administrators use this service to manage KMS-capable Microsoft Enterprise products deployed on university-owned computers. You should only consider running a separate KMS server under very rare circumstances.

Activating Products

  • AUTOMATIC: Microsoft KMS-capable products will automatically find the university-wide KMS server under either of the following conditions:

    • the machine is within the UMROOT domain.

    • uses a DNS server that includes an SRV record for the to-be-activated workstation.

  • MANUAL: You can manually set up KMS activation if the machine:

    • has an IP address within a university-owned subnet, including Virtual Private Network (VPN) connections

    • is able to use in- and outbound TCP port 1688 to access
      FIREWALL? You only need to provide access to the U-M's network using either, university subnets, or the KMS server's IP addresses. For those who use Virtual Firewall, you should be covered by a Global Rule, but please check with the service owners.

Additional Resources

Visit ITS's Information System to obtain ITS computing documentation and other resources. A list of relevant documents follows:

Microsoft Documentation

ITS's IT Staff section provides a variety of help resources for its products and services.

The ITS Service Center provides a variety of computing help resources.

For further help with this or any other topic, call 734-764-HELP [4357] or submit an online service request.

Appendix A: Manually Activating Machines

If the machine cannot be set up for automatic activation but meets the manual activation criteria noted in Activating Products, follow these steps:

  1. From the Start menu, select All Programs then Accessories.

  2. RIGHT-click Command Prompt and select Run as administrator.

  3. In the User Account Control window, click Continue.

  4. In the Command Prompt window, enter the commands appropriate for your product.
    NOTE: The first command points the activation to the U-M KMS server. The second command activates the workstation or server.

    • Windows Vista and Server 2008 up to R1:

      %windir%\system32\cscript slmgr.vbs -skms
      %windir%\system32\cscript slmgr.vbs -ato

    • Windows 7 and Server 2008 R2 and later:

      %windir%\system32\cscript slmgr.vbs /skms
      %windir%\system32\cscript slmgr.vbs /ato

Appendix B: Creating an SRV Record

NOTE: In order for auto-discovery to work, the DNS domain corresponding to one or both of the following must contain the KMS SRV record:

  • The primary DNS suffix of the computer

  • The DNS domain name assigned by DHCP

To create an SRV record:

  1. In the DNS server, open the Bind zone file.

  2. Enter a line (SRV record) in the form of

    _vlmcs._tcp.[your subdomain] 3600 IN SRV 0 100 1688

    replacing [your subdomain] with the correct subdomain without the brackets. For example, at the School of Public Health, the line would look like 3600 IN SRV 0 100 1688

Appendix C: Troubleshooting

You can fix most failed KMS activations by re-registering the software and then manually activating the machine.

  1. From the Start menu, select All Programs then Accessories.

  2. RIGHT-click Command Prompt and select Run as administrator.

  3. In the User Account Control window, click Continue.

  4. In the Command Prompt window, enter the command appropriate for your operating system.

  5. Proceed with step 4 of Appendix A: Manually Activating Machines.

REDUCED FUNCTIONALITY MODE: If the machine you're attempting to recover is already in Reduced Functionality Mode, you'll need to use Internet Explorer to access the Command Prompt.

  1. In Internet Explorer's Address Bar, enter C: and press the Enter key.

  2. If you receive an Internet Explorer Security dialog box, click Allow.

  3. In the Windows Explorer window, navigate to C:\Windows\System32.

  4. RIGHT-click the cmd file and select Run as administrator.

  5. Proceed to step 4 (Command Prompt) at the beginning of this troubleshooting section.

Microsoft maintains a Knowledgebase article on troubleshooting Volume Activation error codes that you might find helpful. However — for error code 0x800706BA: The RPC server is unavailable — the Microsoft-provided solution is incorrect. You should instead follow the re-registering the UPK and manually configuring steps at the beginning of this troubleshooting section.

Appendix D: Running Your Own KMS Server

The university provides — at no charge — a secure, reliable and redundant KMS server. We highly recommend you use this service.

In the following rare events, you may need to provide your own KMS server.

  1. The cluster you want to activate:

    1. is not located within the U-M networks.

    2. cannot use the university's VPN.

  2. A local firewall restricts access to through in- and out-bound TCP port 1688.


  • You must fully understand the terms and conditions of the university's Microsoft Enterprise Agreement.

  • Your KMS service must absolutely prevent machines and virtual machines not owned by the university to validate.

  • You must be prepared to accept personal legal liability and for that of U-M in the event your KMS service permits even one machine not owned by the university to illegally validate.