On a recent visit to a customer site – the L3 Citrix Admin explained they were experiencing some technical difficulties with using KMS (Key Management Service) for Windows Activation of non-persistent Citrix Shared Desktop server operating systems. Having experienced my own troubles on and off with KMS in the past – I explained that there is an easier way for activating domain joined Citrix Workloads in an on-premise environment using Active Directory Based Authentication.
The Background
Back in the early days of Windows server deployment, an IT Administrator simply configured a Windows server OS and activated the Windows license by installing a MAK key on each Windows server. However, with the move to non-persistent Virtual desktops several years back (using provisioning technologies provided by Citrix such as PVS or MCS) – using a MAK key was no longer possible.
Non-persistent VDI or Shared Desktop relies on a master image (also called a golden image or base image) to save IT administrators’ time and ensure consistency during the cloning process. The master image contains the OS, configuration settings and other customisations that replicate to multiple virtual desktops.
Because all workloads are provisioned from the same image – they can’t all use the same MAK key installed on the base image. The initial way to resolve this provided by Microsoft was to use a Volume Activation utility called KMS (Key Management Service).
KMS is an activation service that allows organisations to activate systems within their own network, eliminating the need for individual computers to connect to Microsoft for product activation. To configure KMS within your corporate network an IT Administrator has to:
- Install and configure KMS on a dedicated server within their environment
- Download and install Windows OS product keys from Microsoft Volume License Service Centre
- Configure a DNS SRV record for KMS host lookup
While KMS worked well when setup and running – it had a few major drawbacks in that it was complex to setup and get working for IT Admins and each KMS server required a minimum threshold of 25 license requests before it activated any Windows OS in the environment.
The easier way
There is a much easier way to Windows Activate your on-premise domain-joined server workloads. Using ADBA (Active Directory Based Authentication) – the process of activating non persistent Citrix workloads is greatly simplified. ADBA is a more reliable and redundant solution, and it has significant advantages compared to KMS which makes it the best option for activating machines.
ADBA relies on Active Directory Domain Services to store activation objects and transparently activate domain-joined computers.
Advantages of using Active Directory Based Authentication include:
- High availability – as activation is based on AD LDAP services – these are highly available by design across all Domain Controllers in an organisation
- No minimum thresholds require for activating servers (in KMS – you require a minimum of 25 license requests)
- Eliminates the need for a dedicated DNS record for KMS lookup
- Easy to configure and implement
How to deploy and use ADBA
Step 1
Install the Volume Activation Services role on a Windows 2019 / 2012 Server OS management server
Step 2
Once installed – run the VAMT tool and select ADBA as the volume activation method
Step 3
ADBA uses the KMS host key for activating clients. Note: it is the same KMS host key used for both Active Directory-based activation and KMS activation method.
The KMS host key can be obtained from Microsoft VLSC (Volume Licensing) for the specific OS version you wish to license (e.g. Windows Server 2019).
Step 4
And that’s it. Windows machines on your network will now activate immediately via Active Directory LDAP services. To confirm it’s working you can run a slmgr.vbs/dli command on your client machine to display the activation status. Pay attention to the “AD Activation client information”, which indicates that the client was activated using ADBA.
Summary
ADBA makes the setup and activation of Windows licensing for non-persistent workloads a lot simpler than the traditional KMS solution. As it goes hand by hand with Active Directory, it provides high availability and eliminates the need for a dedicated server for activation, without any requirement to meet a minimum threshold to activate machines.
It is relatively simple to configure and setup, but should you have an questions on how best to deploy ADBA, please feel free to leave a message and I’d be happy to help.