- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
Active Directory Based Activation (ADBA), first introduced in Windows Server 2012, aims to completely replace Key Management Services (KMS). The benefits over KMS are huge but ADBA has one noticeable drawback. In this guide, we will compare KMS to ADBA. We will also walkthrough an ADBA setup for Windows 8.1 clients.
Volume Activation (VA) Services for Windows Server 2012 R2
How Does ADBA compare to KMS?
Microsoft took a look at the common complaints for KMS in order to eliminate them in ADBA. For example, KMS requires a minimal number of clients before activation takes place. Currently, 25 instances are required for client operating systems and five instances are required for server operating systems. ADBA does not have a minimal activation threshold.
ADBA is a GUI based activation mechanism. If you are currently running KMS on a 2008 R2 machine or below, this will probably be a very welcome change. There are some things more suitable to a GUI than command line. In my opinion, activations are one of those things.
With KMS, your activation objects is directly linked to your KMS host. If your KMS host goes down, clients will be unable to activate. ADBA stores its activation objects within Active Directory. By using ADSI, you can view these activation objects.
The Activation Objects as seen from ADSI
Because the activation objects are stored within Active Directory, they are no longer node specific. As long as a client can contact Active Directory, that client can activate. If clients can’t contact AD, you probably have bigger problems.
Finally, KMS configuration is domain specific. If you manage a large multi-domain environment, KMS requires more administrative effort. ADBA, on the other hand, is a forest wide single instance activation method. A onetime configuration takes care of your entire AD infrastructure.
ADBA requirements
ADBA does have a minimal OS requirement. It can only activate Windows 8+ and Windows Server 2012+ operating systems. It also supports Office 2013 activation.
But here is the good news – KMS and ADBA are not mutually exclusive. You can continue to use KMS to activate your older clients and use ADBA for your newer clients. If your KMS host is running (or upgraded) to Windows Server 2012 R2, you can even have both roles on the same machine. Doing this gives you a GUI for KMS.
Surprisingly, you can take advantage of ADBA without needing to upgrade your domain controllers. Your schema version will need to be updated to Windows Server 2012 at least.
Activating Windows 8.1 with ADBA
Got 15 minutes and a Windows 2012 R2 Server? Great – let’s set up ADBA! This guide will assume that you are starting from scratch. First, head to the Add Roles and Features wizard. Continue through the wizard until you reach the Server Roles selection. Select the Volume Activation Services role and finish the wizard.
Installing Volume Activation Services
Next, launch the newly installed Volume Activation tools. Select Active Directory Based Activation as the Activation type.
Configuring Active Directory Based Activation
Install your KMS host key and provide a unique name for this value. As a note, you can install a single Windows Server 2012 R2 KMS key to activate client and server operating systems. More information can be found here. Under Product Key management, you will need to select the type of initial server activation.
ADBA Product Key management
Continue through the wizard until you receive confirmation that activation has successfully been enabled.
To test activation, simply restart an un-activated client. You can check System Properties or the Application Event log to see your successful Active Directory Based Activation!
Our successful activation!
I’m interested in your statement “Surprisingly, you can take advantage of ADBA without needing to upgrade your domain controllers. Your schema version will need to be updated to Windows Server 2012 at least”
Does this mean I merely need to AD Prep a 2008R2 domain to 2012R2 and then separately install the ADBA on a 2012R2 member server? After the keys are installed, can the 2012R2 member server be removed, because the object now exists in the domain?
My goal is to have the ability to use ADBA for Windows 10 clients in a 2008R2 domain, and if possible, not run any 2012 servers just yet (we’re in early testing for Windows 10). I understand I could still use KMS, but ADBA seems much nicer, especially not having to deal with the thresholds during testing.
Thanks
Hi Corby – you will do the ADPrep. You can then use the Volume license activation tools on any 2012R2 or Windows 8/10 machine (with RSAT) to add your licenses to AD.
Hi Joesph,
I have a client that has implemented ADBA for one domain and is trying to decommission the old KMS server for machines in the old domain.
So my question is, can machines from the old domain still be activated on the new Volume activation Service via an updated SRV record in the old DNS servers pointing to the new service, without being a member of the new domain using the old method of activating?
Thanks,
Andy
Just to clarify, you are wanting to use KMS cross domains?
Hi Joseph,
Correct – As part of a demerger, the customer is moving out of the old domain and we are retiring servers belonging to the old domain including the old KMS server as part of this project.
But we still have machines in the old domain which need old type KMS until we roll out new machine builds.
Would we have to deploy a new KMS to service these old clients, even tho we have ADBA. Can ADBA handle both the AD and old style of activation?
You would need KMS and ADBA if you are activating old and new clients.
If I use the Volume Activation tool and select Active Directory-Based Activation on server that has an existing KMS configuration and proceed through the setup will it replace the existing KMS configuration? All of the articles I’ve read go through the ADBA setup first then implement the KMS. I want to make sure that I’m not going to interfere with the existing KMS service.
You will be fine Todd. My production environment was KMS before ADBA was added.
Am I missing something? I don’t see where you detailed the one drawback with ADBA.
I’ve just setup ADBA next to my existing (W2K12) KMS server – which is setup to also activate W2K12. I’m hoping to start seeing my W2K12 servers re-activate to AD first, but haven’t seen any activity yet.
Is there something I can do to force my W2K12 servers over to ADBA?
Also, I have a Win 10 2016 LTSB that’s not activating. I’ve installed the W2K12-Win10 KMS host key to AD. Do I need to install the W2K16 key as well (for Win 10 LTSB to work)?
I am curious… did you solve the problem with Win10 2016 LTSB?
We have made the move from KMS to Active Directory Activation using a Server 2016. Our issue seems to be the clients (Windows 7) are still querying the old KMS server for activation even though DNS for the domain is correct. If we manual set KMS (slmgr -skms:) and then -ATO it works. Any suggestions
Hello David,
Looks like Windows 7 (and older) still require activation via KMS host server (cannot be activated with an AD-based activation server: https://blogs.technet.microsoft.com/askpfeplat/2013/02/04/active-directory-based-activation-vs-key-management-services/.
Kimberly
I’m using ADBA and i’m looking for a way to view how many computers have been activated. Is there a way you know? Thanks!
As far as I know, there isn’t a central report with this data. Clients activate themselves individually by accessing the AD activation object.
If you centralize client event logs, you could query for event ID 12308 – that is the successful activation event ID.
I have kms server running on a non AD server. I want to keep it as we have windows 7 clients.
Can I use ADBA on the same server or does it has to be in Active directory server ?
It should be a server joined to your domain.
I have ADBA now running and use it for Windows Server, Windows 10, Office 2013 and Office 2016. I see on my servers that the activation works. How can I see which servers, clients and Office installations have activated so far?
You can filter the application Event log on your DCs. Look for event ID 12308.
Are you able to circumvent specific OUs from using ADBA, or only apply ADBA to certain OUs? My environment has a single forest with OUs based on country. I need to limit ADBA to US only until other countries are ready to adopt this new method.
I don’t know if you can or not. In a test environment, you could try to edit the security permissions of the activation object in AD and only allow certain computers to read it. If that works, that could be used to do a phased deployment.
Joseph…any idea how to install the volume licensing packs if the Domain Controllers were setup using Windows Server Core?
Can you not use the volume licensing tools that are installed with RSAT on another IT machine?
Joseph,
We currently have the following functional levels. Domain = 2012 R2 Forest = 2008 R2. Would we need to upgrade the Forest functional level to 2012 R2 or should we be OK with our current setup to try ADBA?
ZT
You will need to update your forest. Nothing is 100% but I have never heard of an issue with a forest upgrade.
If I implement this, will the clients that are currently using KMS automatically convert over to ADBA or is there something I need to do on the clients? Clients are all 2012+.
if the user doesn't have to access the domain for up to 180 days to keep activation active does the user get any prompt during that time?
Hello, Can I use ADBA only in a sub domain (not in entire forest)? It seems that the objet is written in sub domain configuration.
Bonjour,
Peut-on installer le service ADBA dans un sous-domaine (par exemple subdomain1.maforet.local) d'une foret sans craindre "d'effets indésirables" (activation inter-domaine par exemple) sur les autres domaines de la foret?
(Serveur en 2019 – DC en 2012r2 – version du schema 2019)
maforet.local
subdomain1.maforet.local
subdomain2.maforet.local
subdomainx.maforet.local
Merci de vos retours.
Hello Joesph,
I've had ADBA successfully working for a while now thanks to this tutorial… My question is I now want to have ADBA activating server 2016 (and soon 2019)… Do I just follow the step above to add the additional KMS keys on my ADBA server or is there something else I need to do?
Thanks
I have been trying to set this up for a week now. And seem pretty straight forward. Every time I run it I get an access Denied error. Now it thinks the key has been activated 10 times and won't let me use it. I have a Enterprise and child domain. Sever I am running license activation on is joined to ad child domain. I set the permissions Enterprise Admin, and local admin. Sill permission denied. Do you need to set this up on the domain controller itself?
Hi Joseph Moody,
How Client can communicate Microsoft Activation server for activating keys.
Active Directory-based activation Process Flow:
Client-ADDS(Volume Activation Service)-MS Activation Server.
Can you explain the flow.
what are the ports are require From ADDS to MS Server.
Hello
we are in the process to upgrade to Windows 10 (I know we are slow) and I would like to implement the ADBA service. The question I have is related to my Windows 7 clients already activate with a MAK key. What’s gonna happen when I will implement ADBA for those Windows 7 clients?
thanks