KMS Server Setup Across 2 Domains/Subnets

March 2, 2010 at 11:41:28
Specs: Windows Server 2003 R2
Hello,

I am trying to set up a KMS server on one of our two domain controllers. Both machines are identical running Server 2003 R2 but are hosting 2 seperate domains and are on two different subnets (one being 192.168.168.1 the other 192.168.0.1). I have the KMS server setup on the 192.168.168.1 server. I cannot successfully get the two servers to add eachother in DNS, and I cannot get clients on the 192.168.0.1 to see the KMS server. I have read through the Microsoft documents endlessly and have tried adding the registry key they suggested but to no avail. Any ideas on what I'm doing wrong?


See More: KMS Server Setup Across 2 Domains/Subnets

Report •

#1
March 2, 2010 at 11:54:02
post an ipconfig /all from each server for review
is there a router between subnets?
how have you tried to add to dns? General steps please.

Report •

#2
March 2, 2010 at 12:07:19
Thank you for your quick reply. I have tried to connect the two DNS servers to eachother in DNS, however whenever I attempt doing this I get the error message "Access Denied. Do you wish to add anyway?"

There is no device or firewall standing between these two servers and both servers can ping eachother without a problem.

If I take a member of the russell.nj domain and upgrade them to Windows 7, they do not see the KMS server. However, if I move that user's computer to the russell.ny domain, they see the KMS server and its count goes up by 1.

Here are my IPConfig/all's :

Domain KMS Server -

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DELLF5KB3D1
Primary Dns Suffix . . . . . . . : russell.ny
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : russell.ny

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-19-B9-C8-CF-07
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.168.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.168.1
DNS Servers . . . . . . . . . . . : 192.168.168.254
192.168.0.240
198.6.1.122


Other Domain Server -

C:\Documents and Settings\Administrator>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : WayneServer
Primary Dns Suffix . . . . . . . : russell.nj
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : russell.nj

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-19-B9-C9-1A-41
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 00-19-B9-C9-1A-43
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.241
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1


Thanks again in advance for your help.


Report •

#3
March 2, 2010 at 12:45:25
Please post the results of nslookup russell.nj
Please post the results of nslookup russell.ny


You can not ping between 192.168.168.x
and 192.168.0.x without a router. Fact you can ping means there is a router between.

Your servers have two different gateways
Host Name . . . . . . . . . . . . : DELLF5KB3D1
Default Gateway . . . . . . . . . : 192.168.168.1

Host Name . . . . . . . . . . . . : WayneServer
IP Address. . . . . . . . . . . . : 192.168.0.240

Another issue is WayneServer has two enabled nics and each is in the same subnet. This is a no no. Server will get confused as to which nic/ip its talking on.

Usually you engage adapter teaming if you have a managed switch to support it, to utilize the power of two nics. Adapter teaming uses only one ip address.

It appears to me you do not have two different domains. You have two different forests. To get them to talk you need to engage a forest to forest trust.

You need to download the KMS software
http://www.microsoft.com/downloads/...


Report •

Related Solutions

#4
March 2, 2010 at 13:07:28
Thank you for being so patient with me and for the excellent advice thus far. I'm still very new to all of this.

Yes, both servers are plugged into the same router. Sorry about the confusion on that.

I had downloaded and installed the KMS software on the russell.ny server. Is there additional software I need to download for that?

As for the dual nics in the WayneServer - are you saying I should definitely look into setting up adapter teaming here?

Here are the results of nslookup russell.nj :

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookup russell.nj
*** Default servers are not available
Server: UnKnown
Address: 127.0.0.1

Name: russell.nj
Addresses: 192.168.0.241, 192.168.0.240


C:\Documents and Settings\Administrator>


Report •

#5
March 2, 2010 at 13:22:00
Keep it simple. Disable the 2nd nic.

it appears nslookup is not finding a dns server for itself. You did this command from the server correct?
Do the command from a workstation please.

Awaiting the nslookup of russell.ny

I would expect you need to install the software on each server. Though not sure why you are installing this software. How many pcs per forest?


Report •

#6
March 2, 2010 at 13:40:16
Thanks! I tried creating a new forest trust but I keep getting told that russell.nj or russell.ny is not a valid Windows domain name. I tried using the NetBIOS names as well to no avail. Not quite sure why I cant get these servers to work together when I need them to.

This is from a russell.nj workstation :

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookup russell.nj
*** Default servers are not available
Server: UnKnown
Address: 127.0.0.1

Name: russell.nj
Addresses: 192.168.0.241, 192.168.0.240


C:\Documents and Settings\Administrator>

And this is from a russell.ny workstation :

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Pillartz.RUSSELL>nslookup russell.ny
Server: UnKnown
Address: 192.168.168.254:53

Name: russell.ny
Address: 192.168.168.254


C:\Users\Pillartz.RUSSELL>nslookup russell.nj
Server: UnKnown
Address: 192.168.168.254:53

*** UnKnown can't find russell.nj: Non-existent domain

C:\Users\Pillartz.RUSSELL>


Thank you again VERY much for all of your assistance. It is VERY appreciated.


Report •

#7
March 2, 2010 at 13:46:00
Sorry I missed that last part about the software. We wont hit the quota for KMS I believe if I just set up 2 seperate KMS servers. Total we'll have about 60 computers about half on the ny forest and half on the nj forest.

Report •

#8
March 2, 2010 at 13:58:34
my understanding is kms is for 1000+ pcs.

does not appear dns is configured properly on either forest.
Makes me wonder how you are joining pcs to the forest without proper dns config.


Report •

#9
March 3, 2010 at 08:27:02
I'm not quite sure. They let someone who COMPLETELY didn't know what they were doing set up these two servers. They do function correctly though as domain controllers. I guess the biggest thing here would be to find out why I can't connect the two forests. If that can happen I'm pretty sure both .ny and .nj users will be able to activate with the KMS server.

Any ideas where to start looking to figure this out?


Report •

#10
March 3, 2010 at 10:34:34
BTW what is up with the bogus dns entry 198.6.1.122 under DELLF5KB3D1? That ip isn't in any of your subnets.

DNS server configuration on each is the problem.

Start with the server tcp/ip properties/advanced/dns tab
ip address listed should not be the loopback ip 127.0.0.1 but the actual servers static ip
This dns server points to itself.
Do this on both DCs

Bring up mmc and add the dns server module.
Do this at each server.

Under DNS you should see the DC listed [since it is a dns server]
Under the server name is the list for forward and reverse lookup zones.
Under your namespace name russell.ny for example you will see things like SOA, Name Servers, and host records.

What do you show here? Most importantly do you show this server name as Name Server?


Report •

#11
March 4, 2010 at 06:25:13
KMS isn't really for 1000+ pcs. KMS is also used to register servers. You have to have 5 registrations for server OS's and 25 for client OS's.

At the KMS server, type SLMGR -DLI. This will show some information about the KMS server itself. Have you entered the proper keys at the KMS server?

If you look in DNS, do you see _VLMCS records in the _TCP section of your DNS server? These are the records clients look for when attempting to locate the KMS server.



Report •

#12
March 4, 2010 at 08:21:32
Glen can KMS work across a forest to forest trust?


Report •

#13
March 6, 2010 at 08:49:07
I believe it can. I work almost exclusively in single forest environments, but I don't see why it wouldn't work as long as the client can find the KMS server via DNS and the proper ports are open.

But - don't hold me to that. It isn't something I've ever done or looked into very deeply.


Report •

#14
March 10, 2010 at 10:06:40
Sorry I have been away sick for a few days. Thank you all for your responses - here is what I show in the russell.ny namespace :


Name Server - dellf5kb3d1.russell.ny [192.168.168.254]
wayneserver.russell.nj [192.168.0.240]
SOA - Serial number 8119
Primary Server - dellf5kb3d1.russell.ny
responsible person : hostmaster
Refresh interval 15 mins
Retry interval 10 mins
Expires after 1 day
Minimum default TTL 1 hour


And the russell.nj namespace on the other server -
Name Servers - wayneserver.russell.nj [192.168.0.240]
DELLF5KB3D1.russell.ny [192.168.168.254]
*This information is listed here in this namespace twice for some reason.

SOA - Serial number 5996
Primary Server - wayneserver.russell.nj responsible person : hostmaster
Refresh interval 15 mins
Retry interval 10 mins
Expires after 1 day
Minimum default TTL 1 hour

Both servers have _VLMCS records listed in their namespaces and also both servers have the opposite server's IP address listed in the "Zone Transfers" section and are allowing zone transfers only to those servers.

In the servers' TCP/IP settings in the DNS tab both servers are listing out 192.168.168.254 and 192.168.0.240 in the DNS server addresses in order of use and have themselves set as the primary DNS server address. I am not seeing 127.0.0.1 at all.

That bogus 198.6.1.122 address has been removed - that was something from our old setup here which no longer exists :-\. What a mess.

Any ideas why I cant get a forest to forest trust going now given the new information?


Report •

#15
March 10, 2010 at 11:34:43
does nslookup work now?

Report •

#16
March 11, 2010 at 07:54:07
Here are the results nslookup is giving me now.

From a russell.nj client :
Q:\>nslookup russell.nj
Server: UnKnown
Address: 192.168.0.240

Name: russell.nj
Address: 192.168.0.240

From a russell.ny client :
C:\Users\Administrator.RUSSELL>nslookup russell.ny
Server: UnKnown
Address: 192.168.168.254:53

Name: russell.ny
Address: 192.168.168.254


Report •

#17
March 11, 2010 at 08:17:30
review each servers dns server host and ptr records for a nameserver entry [NS] that lists that servers name.
If not there make a static entry [manually add]

Report •

#18
March 12, 2010 at 11:14:49
I do have nameserver entries on both servers that list out both wayneserver.russell.nj and dellf5kb3d1.russell.ny in the namespace listings. When looking under reverse lookup zones, there is nothing listed there for either server. Could this be the problem?

Report •

#19
March 12, 2010 at 11:29:27
name servers must also exist in the reverse lookup zone.

Report •

#20
March 12, 2010 at 12:05:59
Okay, I have successfully gotten the reverse lookup zones setup for both servers - here is what nslookup looks like now :

From a russell.nj client :
Q:\>nslookup russell.nj
Server: russell.nj
Address: 192.168.0.240

Name: russell.nj
Address: 192.168.0.240

From a russell.ny client :
C:\Users\Administrator.RUSSELL>nslookup russell.ny
Server: russell.ny
Address: 192.168.168.254:53

Name: russell.ny
Address: 192.168.168.254


Where should I be going from here? Do I have to create something more in DNS to get these servers to work together with a trust?


Report •

#21
March 12, 2010 at 12:35:01
Been reading all your posted.

Just wondering, KMS just like other application from microsoft. after you completed install the kms, Is your KMS need to be Activate or not?

http://www.microsoft.com/downloads/...

Good Luck.


Report •

#22
March 12, 2010 at 12:51:23
not quite sure about this;

Server: russell.ny
Address: 192.168.168.254:53

That port 53 indicates some kind of forwarding. DNS talks on tcp/udp port 53.

Are you running some kind of proxy server on russell.ny?
Where is that port number coming from?

from a nj client what does nslookup produce for a lookup of ny? And visa versa?


Report •

#23
March 12, 2010 at 13:07:37
from an nj client :

Q:\>nslookup russell.ny
Server: russell.nj
Address: 192.168.0.240

*** russell.nj can't find russell.ny: Non-existent domain

from an ny client:
C:\Users\Administrator.RUSSELL>nslookup russell.nj
Server: russell.ny
Address: 192.168.168.254:53

*** russell.ny can't find russell.nj: Non-existent domain

The russell.ny machine is the one the KMS server is set up on and currently functioning correctly on.

I have both servers set up with the other in reverse lookup zones. So in both servers under reverse lookup zones there is 192.168.0.X and 192.168.168.X.


Report •

#24
March 12, 2010 at 13:17:41
WOW ! Okay, I'm sorry, I'm an idiot - I never created those zones in the Forwarding Lookup Zones. Now I'm getting further with the trust setup but have another issue - I get an error when its about to be created saying "The operation failed. This operation cannot be performed on the current domain."

Report •

#25
March 12, 2010 at 13:37:04
Update : I have raised the domain and forest levels to server 2003 but it has made no difference. I'm still receiving the same error when I go to create the trust between the two forests.

Report •

#26
March 13, 2010 at 14:35:26
did you ever resolve your dns issues in your post #23? You should not proceed until you have that working.

did you do everything on the punchlist?

http://technet.microsoft.com/en-us/...


Report •

#27
March 15, 2010 at 07:37:31
Yes, I've done everything on that checklist, and the DNS issues were resolved. Everything appears when using NS lookup, I have forwarders set up. I have no idea what could be causing this trust error.

Report •

#28
March 15, 2010 at 08:36:39
nslookup from a russell.nj client :

Q:\>nslookup russell.ny
Server: wayneserver.russell.nj
Address: 192.168.0.240

Name: russell.ny
Address: 192.168.168.254


Q:\>nslookup russell.nj
Server: wayneserver.russell.nj
Address: 192.168.0.240

Name: russell.nj
Address: 192.168.0.240


nslookup from a russell.ny client:

C:\Users\Pillartz.RUSSELL>nslookup russell.nj
Server: dellf5kb3d1.russell.ny
Address: 192.168.168.254:53

Name: russell.nj
Address: 192.168.0.240


C:\Users\Pillartz.RUSSELL>nslookup russell.ny
Server: dellf5kb3d1.russell.ny
Address: 192.168.168.254:53

Name: russell.ny
Address: 192.168.168.254


Report •

#29
March 15, 2010 at 08:46:10
where is the 53 coming from?
anything in the host entry for dellf5kb3d1?

What is the error when making the trust?


Report •

#30
March 15, 2010 at 08:59:30
The 53 is only showing up on that one .ny client machine. Other machines in that forest do not show :53 when running nslookup.

The error I'm getting when trying to finalize the trust to "russell.nj" or "russell.ny" (I get through every part of setting it up and it dies right before finishing) is :

The trust relationship cannot be created because the following error occurred:

The operation failed. The error is: This operation can not be performed on the current domain.

To close this wizard, click Finish.


Report •

#31
March 15, 2010 at 11:25:47
I think this error might be coming up because both domains have the same netbios name (RUSSELL). I looked under Active Directory Users and Computers, right clicked on the domain and clicked properties. In both domains, under the general tab, Domain name (pre-Windows 2000), RUSSELL is listed. Is there any safe way to fix this?

Report •

#32
March 15, 2010 at 12:38:57
this is a good read

http://forums.techarena.in/active-d...


Report •

#33
March 15, 2010 at 13:42:43
So it looks like the only solution here is a domain rename since the problem is most likely the Netbios names. Would you agree?

Report •

#34
March 22, 2010 at 09:25:41
I'd just like to thank everyone that replied, once more for their help. I believe I have a way to rectify this but I need some guidance if at all possible. Currently we have a third server just sitting around - No AD configuration on it yet, its basically 100% clean. Would there be a way to either set up trusts to get everything networked together through this server, or combine both forests into this one server and then use the other 2 servers for replication/failover? I've done some googling around but am not quite sure where to get started or what is the better option here. Whatever I do, I just need to be sure things are seamless for the users - their desktops won't change and they won't lose access to anything on their computers localy.

Report •

#35
March 29, 2010 at 10:31:02
I would suggest you simply bring up another KMS; one for each namespace.

Report •

#36
March 29, 2010 at 10:35:27
The problem with that is we won't hit the minimum required for the KMS to actually authenticate correctly.

Report •

#37
March 29, 2010 at 16:40:20
minimum to work correctly? Never heard of such a thing.

Got a link to that?


Report •

#38
March 30, 2010 at 08:27:32
Sure thing. The threshold we need to meet is the one for Windows 7. We won't have 25 users per KMS, which is why I'm going nuts trying to get these two groups together.

https://www.microsoft.com/licensing/servicecenter/Help/FAQDetails.aspx?id=107#121


Report •

#39
March 30, 2010 at 08:46:52
Yep there it is in black on white. Clearly aimed at enterprises.

"KMS requires a minimum number of computers in a network environment. You must have at least five (5) computers to activate computers running Windows Server 2008 or Windows Server 2008 R2 and at least twenty-five (25) computers to activate computers running Windows Vista or Windows 7."

But you have 60 computers with appox 30 in each forest which meets the 25 minimum workstastion requirement. It appears its the server side that is lacking.

How many servers do you have?

Regular activation is looking better all the time.


Report •

#40
March 30, 2010 at 08:59:35
There's 3 servers. 1 is the NJ forest, one is the NY forest, and the other is a spare server thats not even been designated a use yet and is newer than the other 2 servers but not by much (and if you have any suggestions for it whether it be domain migration or redoing things for redundancy please don't hold back).

My original estimates were wrong about the number of users on each forest. Also, we only needed and have 40 upgrade licenses. 25 will never be reached on each forest. I'm thinking if I don't do something drastic with this restrictive network setup we have going on, I should just go ahead and use the MAK keys and get the upgrades rolling this week.


Report •

#41
March 31, 2010 at 08:59:00
Given the criteria of not having a impact on the users work flow a domain rename/forest redesign is not advisable. I would just do the manual upgrades

Report •

#42
March 31, 2010 at 10:26:59
Thanks, I'll go ahead and do that then. If I were to find the time to do a domain rename/forest redesign, what should I expect on the user's end to change? We don't have anything such as roaming desktops setup - would it basically create a disaster? I do have that third server just sitting there doing absolutely nothing...

Report •

#43
March 31, 2010 at 11:06:46
How about starting a new thread with the topic of domain/forest redesign. Then describe the present config with the number of wksts/servers along with why you have two forests and what you would like to accomplish.

I suspect you don't need two forests or the present complications.


Report •

#44
March 31, 2010 at 11:38:44
I will definitely do that. Thank you for all of your help I appreciate it. I apologize if I've been annoying.

Report •

#45
March 31, 2010 at 16:29:58
You haven't been annoying at all. In fact you made me go out and learn a bit more about KMS and that is never a bad thing :-)

Report •

Ask Question