HOWTO: Handle Windows Activation on non-domain-joined Web Application Proxies

This entry is part 9 of 10 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at best practices to handle Windows activation on non-domain-joined Web Application Proxy servers.

Note:
This blogpost assumes you’re running Web Application Proxies as non-domain-joined Server Core Windows Server 2016 installations.

If your Web Application Proxy servers are domain-joined, you can use Active Directory-based activation to take care of Windows activation. However, this option can’t be used for Web Application Proxy servers that are non-domain-joined and/or placed on a perimeter network (also commonly referred to as a DMZ network).

 

Why look at Windows Activation for Web Application Proxies

Hybrid Identity deployments are often long and costly implementations. As they are built using on-premises systems, they are intended to provide the functionality for the full duration of the economic lifetime of these systems (4-5 years).

Having activated Windows Server installations throughout the Hybrid Identity implementation is important.

Possible negative impact (What could go wrong?)

When Windows Server is not properly activated, recurring notifications will be shown.

Technically, functionality will not be reduced on non-activated Windows Servers, when installed with Volume License (VL) installation media. Windows Server 2016 will reboot every hour, disable certain services and show EventID 5074 on installations performed with Evaluation media.

More importantly, non-activated servers typically point to a rather casual attitude towards licensing. From a business continuity perspective it would make since to strictly adhere to the product use rights. Through audits, license incompliance might be discovered and measures may be taken, not just financially.

 

Four solutions for Windows Activation

There are four solutions to activate non-domain-joined Web Application Proxies:

  1. Activate using KMS Hosts
  2. Activate using Host-based Activation (for Hyper-V virtual machines only)
  3. Activate using MAK and an Internet connection
  4. Activate using MAK and the phone

 

How to do it

To activate non-domain-joined Web Application Proxy servers, perform these actions, per scenario:

Activate using KMS Hosts

Note:
This method will not work with Web Application Proxies that are installed using retail media.

Key Management Services (KMS) is a way to manage Windows Activation centrally for a networking infrastructure. Installations of Windows Server 2016 with Volume License (VL) media are the first installations of a released Microsoft Windows Server product that are not configured by default with a KMS client key since a long time (as opposed to Windows Server 2008, 2008 R2, 2012 and 2012 R2). Therefore, in the KMS scenario, the following requirements need to be met:

  1. A working KMS host
  2. Ideally: DNS-based name resolution for each of the Web Application Proxies to locate KMS.
  3. Network connectivity from each of the Web Application Proxies to the KMS host
  4. A KMS-based Volume License activation key (GVLK) entered as the product key in each Web Application Proxy, followed by the activation command.

If you haven’t already configured a KMS host, see the Microsoft documentation on Deploy KMS Activation for steps to set multiple of these servers up.

Note:
KMS Hosts running Windows Server 2008 R2, or earlier versions of Windows Server cannot be used as KMS hosts to activate Windows Server 2016 and beyond.

By default, KMS uses DNS SRV records to locate KMS hosts. Multiple SRV records allow for high-availability of the KMS functionality. However, one KMS can be assigned to a Web Application Proxy using the following command line:

slmgr.vbs /skms KMSHostOrIPAddress:1688

If using an IPv6 address to denote the KMS host, specify the address using square brackets. TCP 1688 is used by default for KMS hosts, but this port can be changed.

To test discovery of KMS hosts through DNS on Web Application Proxies, use the following line of Windows PowerShell on each of the Web Application Proxies:

Resolve-DnsName -Name _vlmcs._tcp -Type SRV -DNSonly

Note:
The Resolve-DnsName cmdlet will return a maximum of 25 records from DNS servers.

To test network connectivity between the Web Application Proxy and the KMS Host, perform the following line of Windows PowerShell on each of the Web Application Proxies:

Test-NetConnection -ComputerName KMSHostOrIPAddress -Port 1688

TCP 1688 is used by default for KMS hosts, but this port can be changed.

Activate each Web Application Proxy, by running the following two command lines on each server:

slmgr.vbs /ipk <PRODU-CTKEY-4WIND-NWSSE-RVERS>

slmgr.vbs /ato

Change the above product key for the specific product license key for the Operating System SKU that was used to install the Web Application Proxy servers. It differs between Standard Edition and Datacenter Edition. All GVLKs can be found in the Microsoft Documentation on KMS client setup keys.

Alternatively, KMS GVLKs can be configured centrally and Web Application Proxy servers can be activated centrally using the Volume Activation Management Tool (VAMT).

 

Activate using Host-based Activation (for Hyper-V virtual machines only)

Note:
This method will not work with Web Application Proxies that are installed using retail media.

When your Web Application Proxy hosts run as virtual machines on top of Hyper-V, you can take advantage of the Automatic Virtual Machine Activation (AVMA) feature.

To use this feature, the Hyper-V hosts that run the virtualized Web Application Proxies need to:

  1. Run Windows Server 2012 R2, or up
  2. Run the Datacenter Edition of Windows Server
  3. Be properly activated themselves

When you meet these requirements, every virtual machine deployed to these Hyper-V hosts will be activated automatically, when they are configured with the Windows Server 2016 GVLK. When you use volume license media to install the Windows Server 2016-based Web Application Proxies, there is no additional required action.

 

Activate using MAK and an Internet connection

Another Volume License activation method for Windows Serer 2016 is to use Multiple Activation Keys (MAKs). The default activation method for MAKs is over the Internet to Microsoft’s datacenters.

This activation method requires access to the Internet addresses mentioned in Microsoft KnowledgeBase article 921471 to avoid error 0x8004FE33.

Activate each Web Application Proxy, by running the following two command lines on each server to enter the MAK:

slmgr.vbs /ipk <PRODU-CTKEY-4WIND-NWSSE-RVERS>

slmgr.vbs /ato

Alternatively, MAKs can be configured centrally and Web Application Proxy servers can be activated centrally using the Volume Activation Management Tool (VAMT). When VAMT is used for MAK Proxy Activation, only the device running VAMT needs an Internet connection.

 

Activate using MAK and the phone

When an Internet connection is out of the question on the perimeter network, phone activation is still available.

Obtain the Windows Server installation ID, using the following command line:

slmgr.vbs /dti

Write it down.

Run the following command line on the Web Application Proxy to show phone number information:

notepad.exe C:\Windows\system32\SPPUI\Phone.inf

Phone.inf in Notepad on Server Core installations of Windows Server 2016 (click for original screenshot)

Write down the nearest or most convenient number from the document.

Close the Notepad window.

Call the phone number and follow the prompts to obtain the confirmation ID.

Apply the confirmation ID (without the hyphens) using the following command line:

slmgr.vbs /atp VeryLongStringThatRepresentsTheConfirmationID

                          

Testing proper activation

Check proper activation using the following command line:

slmgr.vbs /dlv

            

Concluding

Make sure Web Application Proxies remain functional beyond the default trial period, by activating their Windows Server installations.

Further reading

Product Activation Changes and Impacts on Windows Server 2008
Windows 2016 Server mysterious shutdown issues
KMS client setup keys
Windows activation or validation fails with error code 0x8004FE33
KMS and MAK Activation Scenarios for Volume Activation
Windows Server 2016 Volume Activation Tips
Activating Windows Server 2016

Series Navigation

<< HOWTO: Handle Time synchronization on non-domain-joined Web Application ProxiesHOWTO: Handle Windows Update on non-domain-joined Web Application Proxies >>

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.