• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Feedback

Let us know what you think of our Knowledge Center!

Open Cloud Community

Learn about Rackspace products, ask questions, and share your knowledge in our Open Cloud Community.

Common Windows Issues: Key Management Server Activation

  • Article ID: 1181
  • Last updated on January 31, 2012
  • Authored by: Rackspace Support
  • (6 Comments)

Problem:  Periodic activation requests to the KMS are rejected and the operating system is seen as unlicensed.

Cause:  Windows cannot locate the Key Management Server (KMS) after changing the time zone of the Cloud Server.  Now your Cloud Server's system clock does not sync with the KMS.

Resolution:  You will need to resynch your Cloud Server with the KMS server:

1.  Log in to your Cloud Server as Administrator and run the following from the command prompt (Start, All Programs, Accessories, right-click Command Prompt and select Run as Administrator).

  • If your server is in ORD (Chicago datacenter):
ping winactivate.ord1.servers.rackspacecloud.com
  • If your server is in DFW (Dallas datacenter):
ping winactivate.dfw1.servers.rackspacecloud.com

**if there is a reply, move on to step 2.  No reply means that there is an interface, hardware, or routing issue**

2.  Set the KMS manually within the registry.

  • If your server is in ORD (Chicago) datacenter:
slmgr.vbs /skms winactivate.ord1.servers.rackspacecloud.com:1688
  • If your server is in DFW (Dallas) datacenter:
slmgr.vbs /skms winactivate.dfw1.servers.rackspacecloud.com:1688

3.     Request activation from the KMS
:

slmgr.vbs /ato

4.     If step 3 returns an error reading EXACTLY “0xC004F074 The Key Management Server (KMS) is unavailable”, run the following:

w32tm /resync

5.     If the time on the Cloud Server is drastically different than what is on the KMS the resync will fail.  At this point you will need to either set the time manually or configure the server to use an NTP instance over the internet:


net stop w32time 
w32tm /config /manualpeerlist:time.windows.com /syncfromflags:MANUAL
net start w32time

6.  Once the time is synced up, attempt the following:

w32tm /resync

slmgr.vbs /ato


7.  You will also need to open UDP port 123 to allow the sync.  Read this article to learn how to Create an Inbound Port Allow Rule.

8.  Once the time is synced up, attempt the following:

w32tm /resync
slmgr.vbs /ato

 



© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER

6 Comments

I am unable to ping winactivate.ord1.servers.rackspacecloud.com. Is this not registered with DNS properly? I am able to ping www.google.com with no issues.
By Wilson on Jul. 30, 2012

I believe you can only ping a key server from within the same datacenter. To ping the server in ORD you'll need to do it from a Cloud Server that resides in an ORD datacenter.

You can see what datacenter your Cloud Server is in by checking the server list - the rightmost column lists the datacenter.
By jered.heeschen on Jul. 30, 2012

We also recently had an activation issue on our ORD1 based server that had been running for 6 months without any changes in the config. We were getting a windows isn't genuine message and activation was failing with only a multi-digit hex code (thanks, Microsoft!)

Similar to the posting from a few weeks ago, we could get an IP back when pinging winactivate.ord1.servers.rackspacecloud.com but did not get replies. We had disabled the private interface on the cloud server on the day of its spinup since we had no intention of using a load balancer or linking it to other internal cloud services. One less interface to think about for security concerns was the goal.

This appears to be why our server could not activate. Apparently in addition to it being usable for private system communication that isn't metered, the private interface is also used for KMS activation and Rackspace management. This was news to us and not clear in this article that it was necessary.

I guess we need to leave it on and then make sure the windows firewall allows nothing through on that interface to keep us protected from other cloud servers that get compromised. Rackspace - we'd definitely prefer not having the extra interface stay enabled, even though it'd send the minuscule activation traffic over the public IP (and we'd get billed for it).
By Anonymous on Jul. 30, 2012

We'll get this article updated with a note about the interface.

I can't speak for the folks in charge of the activation servers, but I suspect they don't want those activation servers accessible from the public network. Restricting them to the private network limits their exposure to attack.
By jered.heeschen on Jul. 30, 2012

My Windows 2012 Standard server was not activated after I resized it. I followed these steps and it fixed the activation issue!
By Ezra Shiram on Feb. 21, 2013

If you decide to build a Windows Cloud Server without a Public Network interface, or, deactivate that interface later; you will need to ping the "winactivate" servers listed above, and use the IP in the command.

Basically, without a PublicNet connection:
'slmgr.vbs /skms winactivate.ord1.servers.rackspacecloud.com:1688'
won't work, you will need to use:
slmgr.vbs /skms 10.179.63.253:1688
By Andrew Lisciandrello on Mar. 25, 2013

Add new comment