Windows Licensing Reference

Active Directory-Based Activation

AD-BA — forest-object activation introduced with Volume Activation 3.0

Active Directory-Based Activation (AD-BA) is a volume activation method introduced with Windows 8 and Windows Server 2012 in which the activation entitlement is stored as an object in the Active Directory configuration partition. Domain-joined volume editions of Windows 8 or later, Windows Server 2012 or later, and volume Office 2013 or later are activated automatically at boot or at user logon by querying this object.

Unlike KMS, AD-BA does not require a listening service on TCP 1688, does not require a DNS SRV record beyond the standard Active Directory locator records, and has no activation count threshold. It coexists with KMS; domain members will use AD-BA first and fall back to KMS only if AD-BA fails.

See also: Key Management Service, Volume Activation Methods, GVLK Keys.

History

AD-BA was introduced as part of Volume Activation 3.0 with the Windows 8 / Windows Server 2012 generation. It was developed in response to feedback that KMS, while effective, imposed operational overhead (a dedicated host, firewall rules, DNS publication, activation thresholds) that was unnecessary in fully Active Directory-managed environments. AD-BA has been carried forward unchanged in every subsequent Windows Server release through Windows Server 2025.

Technical details

AD-BA stores activation objects of class msDS-ActivationObject in the configuration partition under CN=Activation Objects,CN=Microsoft SPP,CN=Services,CN=Configuration, DC=<forest-root>. Each object carries a KMS Host key and licence metadata. Clients with a matching GVLK installed locate the object using the standard LDAP / GC locator and present a hashed CMID; the domain controller returns a signed activation response. The underlying schema extension is delivered as part of the Windows Server 2012 (or newer) AD schema.

Setup procedure

  1. On a Windows Server 2012 or later domain controller, install the Volume Activation Services role.
  2. Launch the Volume Activation Tools wizard and choose Active Directory-Based Activation.
  3. Enter the KMS Host key (the same key type used for KMS) and a display name for the activation object.
  4. Activate the key against Microsoft, online or by telephone.
  5. The wizard creates the msDS-ActivationObject in the configuration partition; replication makes it available to all domain controllers in the forest.
  6. Clients with the corresponding GVLK installed activate automatically at the next boot or logon, or immediately with slmgr.vbs /ato.

Forest object and schema

The schema extension required for AD-BA is delivered automatically when a domain controller is promoted from Windows Server 2012 or later, or when adprep /forestprep is run from installation media of those releases. The activation object can be enumerated with dsquery * "CN=Activation Objects,CN=Microsoft SPP,CN=Services,CN=Configuration, DC=<forest-root>" and managed through the same VAMT wizard used to create it. Multiple activation objects may coexist to support different product families.

Common issues

  • Down-level clients not activating. AD-BA supports Windows 8 / Server 2012 and later only; Windows 7 / Server 2008 R2 must continue to use KMS or MAK.
  • Activation object missing in a child domain. AD-BA objects are stored in the forest configuration partition and replicate to all domain controllers; replication delays show up as transient failures shortly after creation.
  • Older Host key. A newer Windows client SKU may require a Windows Server 2022 (or newer) Host key in the activation object.
  • Workgroup or non-domain-joined machines. Cannot use AD-BA; configure KMS or MAK instead.

References

  1. Activate using Active Directory-Based Activationhttps://learn.microsoft.com/en-us/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client
  2. Plan for volume activationhttps://learn.microsoft.com/en-us/windows/deployment/volume-activation/plan-for-volume-activation-client
  3. Volume Activation Services rolehttps://learn.microsoft.com/en-us/windows-server/get-started/activation-key-management-services
  4. Volume Activation overviewhttps://learn.microsoft.com/en-us/windows/deployment/volume-activation/volume-activation-windows-10