Windows Licensing Reference

KMS Host Configuration

Deploying and configuring a Key Management Service host on Windows Server

A KMS host is a Windows Server instance configured with the Volume Activation Services role and a KMS Host key obtained from the Microsoft 365 admin center or the legacy Volume Licensing Service Center (VLSC). Once installed and activated against Microsoft, the host responds to local KMS client requests on TCP port 1688.

A single KMS host can serve tens of thousands of clients in a single forest and can host activation for Windows client, Windows Server, and Microsoft Office concurrently, provided the corresponding KMS Host keys are installed and the host has been re-activated against Microsoft after each key change.

See also: Key Management Service, GVLK Keys, slmgr Command Reference.

History

Configuration tooling has evolved with each Windows Server release. In Windows Server 2008 and 2008 R2, KMS host setup was performed primarily through slmgr.vbs. Windows Server 2012 introduced the Volume Activation Services role and the Volume Activation Management Tool (VAMT) MMC snap-in, which provide a graphical wizard for installing the KMS Host key, activating it against Microsoft, and publishing the SRV record. From Windows Server 2016 onward the wizard supports KMS Host keys for newer client SKUs released after the server itself, delivered as part of the periodic servicing updates listed on Microsoft Learn.

Technical details

The host listens on TCP 1688; the port is configurable with slmgr.vbs /sprt <port>. KMS host configuration is stored under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform, with relevant values including KeyManagementServiceVersion, KeyManagementServiceCurrentCount, and KeyManagementServiceTotalRequests. The host logs activation events to Applications and Services Logs › Microsoft › Windows › Key Management Service.

A KMS host is itself activated against Microsoft using the same slmgr.vbs /atocommand used by clients; the difference is the key installed. Re-activation is required only after the Host key is replaced or after a hardware change that invalidates the binding.

Procedure

  1. Install the Volume Activation Services role through Server Manager.
  2. Run the Volume Activation Tools wizard and select Key Management Service.
  3. Enter the KMS Host key obtained from the volume licensing portal.
  4. Activate the host against Microsoft, either online or by telephone.
  5. Allow inbound TCP 1688 in Windows Firewall (built-in rule: Key Management Service (TCP-In)).
  6. Verify publication with nslookup -type=srv _vlmcs._tcp.<domain>.

Equivalent command-line steps are slmgr.vbs /ipk <KMS-Host-Key> followed by slmgr.vbs /ato and, when DNS publishing is disabled, slmgr.vbs /sdns.

DNS publication

By default, the KMS host publishes a DNS SRV record of the form _vlmcs._tcp.<domain> in its primary DNS zone, pointing at the host's FQDN and TCP port 1688. Domain-joined clients locate the host through this record without further configuration.

In multi-domain forests, the host can publish additional SRV records by granting the host's computer account the Authenticated Users — Create all child objects permission on the _vlmcs._tcp container in each target DNS zone. Manual publication is possible by creating an SRV record with service _vlmcs, protocol _tcp, weight 0, priority 0, and port 1688.

Common issues

  • Host activates but clients cannot reach it. Typically a missing firewall rule or a missing SRV record; verify with Test-NetConnection host -Port 1688.
  • Newer client SKU not supported. The installed KMS Host key predates the client SKU; install a newer Host key and re-activate the host. Microsoft publishes a compatibility matrix per Windows Server release.
  • Count stuck below threshold. Re-activating a single test machine does not increase the count; only new CMIDs contribute. The current count is shown by slmgr.vbs /dlv on the host.
  • Multiple KMS hosts publishing in DNS. All SRV records are valid; clients pick one at random by weight and priority. Decommissioned hosts should be removed with slmgr.vbs /cdns or by deleting the stale SRV record.

References

  1. Install and configure a KMS hosthttps://learn.microsoft.com/en-us/windows-server/get-started/activation-key-management-services
  2. Plan for volume activationhttps://learn.microsoft.com/en-us/windows/deployment/volume-activation/plan-for-volume-activation-client
  3. Volume Activation Management Tool (VAMT)https://learn.microsoft.com/en-us/windows/deployment/volume-activation/volume-activation-management-tool
  4. Configure DNS for KMS activationhttps://learn.microsoft.com/en-us/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client
  5. KMS host updates for newer Windows versionshttps://learn.microsoft.com/en-us/windows-server/get-started/kms-activation-planning