3

Will the various KMS client versions (Windows, Office) handle CNAMEs as expected (i.e. resolve the referenced destination RRs) when resolving the _vlmcs._tcp.<localdomain> KMS machine name from DNS?

The rationale here: we have an environment with a sh!tload of subdomains, our Windows clients and servers (not necessarily domain-joined) are scattered among all of them. Our DNS management for these domains is rather inflexible (we can handle changes once in a while, but it is onerous) whereas we have some domains delegated to AD DNS servers where changes are easily implemented. We would have _vlmcs._tcp.<localdomain>. IN CNAME _vlmcs._tcp.addns.domain. RRs created all over to ease up KMS server addidion and replacement.

I am able to test the basic functionality (Win7 + Server 2008 R2 / Server 2012 R2 clients, Office 2013) without major effort. Yet, I do not have a sufficiently large sample size of different OS versions, Office installations, service packs and possibly KMS-client-related hotfixes to tell if it would work in all common configurations.

chicks
  • 3,639
  • 10
  • 26
  • 36
the-wabbit
  • 40,319
  • 13
  • 105
  • 169

1 Answers1

1

I doubt anyone will be able to say for certain in 100% of the cases that a CNAME would work. But were I in your shoes, I'd validate it works for the subset of systems I can test and then just go for it. Worst case, you monitor your client counts before and after so you notice if they start going down as if clients are connecting anymore. Both Windows and Office don't seem to do much other than nag when you're out of compliance. So users might be mildly annoyed, but not broken.

Alternatively, skip the _vlmcs records entirely and just set the KMS server manually on all your clients. There's a group policy for it on domain joined machines and you can use your config mgmt system to do the rest. You've got a config mgmt system, right?

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • *You've got a config mgmt system, right?*: unfortunately, only partially. The organization is decentralized and while there is configuration management for parts of it, significant parts are running without. I went for the first route you're proposing - I have tested it in our lab, let it run for a pilot group for a while and deployed it to the organization as a whole last month. The old KMS server has been decommissioned just yesterday, I am waiting for user complaints now :-) – the-wabbit Oct 08 '15 at 09:43
  • BTW, I was either hoping for a reference to a technical document from Microsoft stating that CNAMEs are fine or a counterexample showing where it would break. Although I cannot see why it should not work as long as the standard DNS resolver libraries are used, I could not come up with any document or setup description using CNAMEs for KMS SRV RRs. – the-wabbit Oct 08 '15 at 09:47
  • The config mgmt system was sort of tongue-in-cheek. =) As far as documentation goes, the only docs I've ever seen simply reference the SRV record and how to generate it. They don't really go into alternative configurations. – Ryan Bolger Oct 08 '15 at 16:05