In some environments it may be necessary to implement Key Management Services (KMS) activation across domains. An example of this can be illustrated by the requirements of a recent project that I was working on.
The customer in question is in the process of consolidating a number of legacy domains into a new pristine AD domain - trust relationships exist between the domains. This migration will take a considerable amount of time given both the size of the customer's infrastructure and the requirement to consolidate / migrate complex back office systems and applications.
Concurrently, a large scale Vista deployment project is also underway aimed at base-lining the client infrastructure on a common desktop. Where possible and for the most part newly deployed Vista clients are being deployed into the new domain however, due to reliance on and access to critical back office applications which still reside in the legacy domains, there is also a requirement to redeploy some Vista clients back to their legacy domains.
Bearing these requirements in mind, it was still desirable to configure a single domain for KMS activation - preferably the new domain - given that over time the legacy domains will be decommissioned. Thus configuring KMS activation across domains becomes the logical choice.
Network considerations - by default the client computers connect to the KMS host for activation using anonymous Remote Procedure Calls over TCP, using TCP port 1688. So you will need to ensure that this port is opened in the firewall configurations between the remote sites. Note - this port number can be changed.
DNS SRV records - by default and when dynamic DNS (DDNS) is supported in the environment, KMS hosts automatically publish their existence by creating service (SRV) resource records in the DNS server and only the DNS domain that the KMS host belongs to is registered in an SRV record.
So if you have only one DNS domain in your network environment, no further action is required.
But if you have more than one DNS domain name, as it is with this customer's legacy domains, you can create a list of DNS domains for a KMS host to use when publishing its SRV record. This can be done by setting a specific registry value on the KMS host -
However, if DDNS is not supported in the different DNS environments, or if you want to have a manual control of the KMS publishing, an administrator can also create manually the SRV record that publishes the availability of a KMS host. Manually created SRV records can coexist with SRV records that are auto-published by KMS hosts in other domains as long as all records are maintained to prevent conflicts. Here is the procedure in order to create the SRV record in the legacy DNS domains that publishes the availability of a remote KMS host -