Windows KMS - host or AD?

I’m planning out a big physical to virtual move, and for reasons I don’t want to just p2v the running servers. Going to do a series of hoop jumping to move roles to new hosts and back again once I free up the old IP addresses. These moves involve moving AD, DNS, and DHCP. I had a plan written on paper, need to load up some VMs in my lab and give some of this a go and see what fails and what works.

The crux of the matter is, do I keep using a dedicated KMS host (VM), or do I move this function to AD? If I move to AD will clients that are not part of the domain still get activated?

For the longer part of the gymnastics:

Take server 3 and install AD, DNS, DHCP roles. Add existing AD so this shares the load. Set load balance for DHCP. Transfer FMSO from server 1 to server 3 (now Primary AD). DCpromo server 1 and remove from network.
Create Server 1 in fresh VM and reverse the process.

Follow process for server 2 adding WDS images. Server 2 is my current KMS host so there will be a short time when no KMS host will be present. Moving server 2 up to 2022 while doing this, current KMS host is not activating 2022 at this time, I think a windows update broke this so I need to start other servers at 2019 and inplace upgrade.

I may flip this and do server 2 first, it has less stuff going on and I should be able to move this without affecting users (gives me more days/times to perform work).

Why no p2v? These servers have come up through 2008 with inplace upgrades. It is time to freshen them up with clean installs. Also the only p2v that I’ve tried failed when the only important application failed because it is keyed to a lot of different hardware (another license server for some applications).

You can put KMS on a DC if you want. It’s very light weight. The machines know how to reach the KMS server by querying DNS for an SRV record called _VCLMS
I would suggest letting the KMS service manage the creation of this record, which I believe happens by default. To ease the transition, you can run the old and new KMS servers together as clients will just get 2 possible options from DNS. As for your non-domain joined machines, I’d think they should be able to find KMS especially if you configure them with the same DNS suffix as the domain-joined machines so when they do the query, it will append and resolve to _VCLMS.somedomain.local

1 Like

Thanks. I’m still thinking about this and not getting the time I need to work on it the transfer. I did read a bunch of articles from Microsoft and they suggested the same thing, just stand up a second server until you can remove the first. I’ll probably do that as it seems the easiest way.

Is there a problem running 3 AD servers? I started this process by putting up a server that I intend to use for other things. Made it an AD server so I could sync all the records. Also made it a second DHCP server to again sync everything and third DNS server though that still needs work because something didn’t function correctly. Now I should be able to transfer the rest of the AD roles to this new server and take down my first AD and second AD/KMS server.

It has been mostly OK so far, biggest problem I’ve had is that all the DHCP options didn’t transfer to this new (second) DHCP. Manually entered a few things and it’s back to OK. Once I have time to straighten out the DNS on this new server, I can move forward again.

You can easily run 3 AD/DNS servers or even more if required. It is/was quite common to bring up a third with the latest OS and then migrate the roles to it before demoting the original server. The only thing I wouldn’t recommend is trying to keep the same IP address. As in my experience changing an AD servers IP after it’s been configured isn’t something that goes well.

For future reference you can easily export all of your current DHCP settings and import them into a new DHCP server from the command line. I think it even migrates over the current allocations etc.

1 Like

Thanks, I need to look up the command line stuff.

My plan is currently:

Stand up the 3rd and get it all functional.
Demote the second and remove it from the network.
Stand up the second including the old IP (since the old one is now gone) and get it functional.
transfer the FMSO role over to one of the other servers.
Demote the first and remove it from the network.
Stand up the first and get everything working, and transfer the FMSO back to it.
And finally demote the third to go back to the other functions I am going to use it to do. or maybe not demote it, haven’t finalized this last step.

While I read about KMS more, a blog post on Microsoft said to basically not worry. Just remove the server and build another. The grace period is around 2 weeks, and it will keep checking back for 180 days before it really give you grief. I kind of thought that was the way, but reading it from a Microsoft associate makes a person feel better.

I also need to ditch the WDS on the second server. That always causes issues with things like in place upgrades and probably demoting that AD. Backed up all my WIM images in preparation for this move.

Probably need to wait until we get into spring break in a few weeks, just to make sure there are no service interruptions. Been enough of those through mistakes already.

I should probably have said, I’ve also moved KMS servers before. I can’t remember the exact procedure, but that in itself speaks volumes, as it must have been so simple and easy there was no need to remember it :rofl:

Edit: Your AD plan sounds perfectly sensible, so you shouldn’t have any issues

1 Like

Thanks, I appreciate the help. While I do this job, I don’t do it often enough to stay on top of things, so checking with people who do this more often is really a bit of comfort.

You should be able to build the new DC, move the FSMO roles, demote the old DC, delete it, and then update the IP you used for the old one. You’ll need to ipconfig /flushdns, restart DNS and Netlogon services, then ipconfig /registerdns. Next dcdiag /fix and you should be good.

1 Like