First off, there a few commands and output that will give you a good starting point.

C:\Windows\system32>cscript slmgr.vbs /dlv
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Software licensing service version: 6.1.7600.16385

Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System – Windows Server(R), RETAIL channel
Activation ID: 039998e3-3ef5-4adf-b758-mnbvczxlkjjhh
Application ID: 55c92734-d682-4d71-983e-lkdaskdjaskl
Extended PID: 00477-4444-444-000000-00-1033-7600.0000-3482009
Installation ID: 006386735361234567898785803475982043689521915735258065
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88342
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88343
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88345
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88344
Partial Product Key: 2YYCD
License Status: Initial grace period
Time remaining: 43200 minute(s) (30 day(s))
Remaining Windows rearm count: 2
Trusted time: 4/27/2010 11:09:12 AM

Or its equivalent with less information slmgr /dli.

In that case, it seems that KMS client is not even set here.

First off, you may want to tell the server where to look to get Keys using the following commands.

To know which server should be register you may want to check the DNS record that

C:\Windows\system32>nslookup -type=srv _vlmcs._tcp.xxxx.net
Server:  rrrpdcad02.xxxx.net
Address:  10.9999.15

_vlmcs._tcp.xxxx.net   SRV service location:
priority       = 0
weight         = 0
port           = 8081
svr hostname   = rrrmskms01.xxxx.net
rrrpmskms01.xxxx.net   internet address = 10.99.98.97

With this information you can now register for this server.

C:\Windows\system32>cscript slmgr.vbs /skms rrrpmskms01:1688
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Key Management Service machine name set to rrrmskms01:1688 successfully.

You will then need to enter a valid key if not already done with you unattended install. Please check the below table with MS provided keys for activation using KMS.

C:\Windows\system32>cscript slmgr.vbs -ipk YC6KT-GKW9T-YTKYR-T4X34-R7VHC
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Installed product key YC6KT-GKW9T-YTKYR-T4X34-R7VHC successfully.

then trying the activation using the command below I would get another error.

C:\Windows\system32>cscript slmgr.vbs /ato
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Activating Windows Server(R), ServerStandard edition (039998e3-3ef5-ddasdasdass8-d25fa0128ff4) …
On a computer running Microsoft Windows non-core edition, run ‘slui.exe 0x2a 0x80072EE2′ to display the error text.
Error: 0x80072EE2

Using the mentioned command I would find that 0x80072EE2 means that the operation timed out. Very well, then I may facing some communication errors.

Indeed, as you may have noticed I made a mistake above not using the right port. I used 1688 which the default port instead.

You can also check on your KMS for a status using the slmgr /dlv command:

Key Management Service is enabled on this machine
Current count: 50
Listening on Port: 8081
DNS publishing enabled
KMS priority: Normal

Be sure to use the port that is given by the volume license DNS entry and make sure it communicates. As you may have guessed there are 2 ways a new server where a KMS is install will register. Of course after changing to the right port and can try -ato (activation) again.

1. by using the DNS to automatically locate the KMS
2. or just register it manually using the commands above

When rightfully registered the /dli or /dlv will give you something like that:

C:\Windows\system32>cscript slmgr.vbs -dli
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System – Windows Server(R), VOLUME_KMSCLIENT channel
Partial Product Key: R99HC
License Status: Licensed
Volume activation expiration: 259200 minute(s) (180 day(s))

Key Management Service client information
Client Machine ID (CMID): 70e4de42-rewa-4c93-gf45-a6d372bc0a19
Registered KMS machine name: rrrpmskms01.xxxx.net:8081
KMS machine extended PID: 55041-009999-313-09999-03-1033-6002.0000-3442009
Activation interval: 120 minutes
Renewal interval: 10080 minutes
KMS host caching is enabled

Activation Keys table (taken from here)

For this recipe, you will need:

• adrestore, a great tool from our friend Mark
• Admin rights on AD, to perform what you have to do

For your sake, AD keeps deleted record for 30 days by default. If it was an important account, there are great chances you notice it is missing before the 30 days. Past those 30 days, you will need to use the “standard authoritative” AD backup method.

Your application using the deleted account will complain and a query on AD reveals it is not there. Not a problem, just follow the 4 easy steps below:

1. Restore the missing account
adrestore.exe -r MissingAccount
Enumerating domain deleted objects:
cn: MissingAccount
DEL:eab4d5e6-493b-4a64-aae8-360e730a5938
distinguishedName: CN=MissingAccount\0ADEL:eab4d5e6-493b-4a64-aae8-360e730a5938,CN=Deleted Objects,DC=rgare,DC=net
lastKnownParent: OU=Service Accounts,OU=Users,OU=Montreal (MTL),DC=COMPANY,DC=net

Do you want to restore this object (y/n)? y

Restore succeeded.

Found 1 item matching search criteria.

2. Query to check its existence
dsquery user -name MissingAccount
“CN=MissingAccount,OU=Service Accounts,OU=Users,OU=Montreal (MTL),DC=COMPANY,DC=net”

3. Reset Password as restored account comes back empty
net user /domain MissingAccount Password

4. Activate Account
dsquery user -name MissingAccount| dsmod user -disabled no
dsmod succeeded:CN=MissingAccount,OU=Service Accounts,OU=Users,OU=Montreal (MTL),DC=COMPANY,DC=net

At this point and under 3 minutes, the deleted account is restored and ready to be used. It even kept its SID but you will have to repopulate some of its attributes such as Description and so on.

1. My computer’s BIOS supports autostartup, so I have it set to come on at 7:20AM every day (I arrive at the office at 8AM).

2. I use TweakUI to autologin to the computer, use kb315231 otherwise. This gets it starting and lets all the startup programs take however long they need to get going.

3. REMAIN COMPLIANT. I have a shortcut in my startup menu with a target of: %windir%\system32\rundll32.exe user32.dll, LockWorkStation, which locks the workstation. This way, if anyone tries to power up my computer when I’m not there, they can’t do anything, remember you are an admin.

4. I have a batch program in my startup menu with this command shutdown -s -t 7200 -c “If I’m not here, this computer will shut itself down.” -f, which will shut the PC down in 2 hours. That way, if I’m out sick, the PC isn’t on all day. Of course, if I’m late, I have ’till 9:20 or so to make it to my desk and abort the destruct sequence with #5…

5. I have a subfolder of Startup called Abort Shutdown, with a batch file in it with the command shutdown -a, which will (duh) abort the shutdown when I click it. The folder is open when I arrive, and the batch file is sitting there, waiting to be clicked on.

So, in the 40 minutes before I arrive, everything gets rolling. While 40 minutes might seem excessive, they are other things you may want to have your computer do while waiting for you such as backup or other sync.

This also works well in the middle of the day when a restart is required. I can fire and forget — go get a double-double or something, and I don’t have to come back just to log in and wait some more. By the time I’m back, it’s ready to rock and roll.

Not so long ago a colleague of mine, not to mention he is our HR head, found himself locked out while traveling to our Toronto office (he is based in Montreal). He found out as he was trying to log onto is laptop. After a call to the helpdesk he was able to log in as they unlocked his account, but the next morning he would be locked out again.

I’ll let you check the Kerberos article to check how to find out the source of the lockout. Put shortly it is just matter of finding which Domain Controller his account was locked out on and then checking the security log to determine from what machine.

So it appeared that a week before traveling to Toronto, he had a training and he logged onto a training computer and got out of the training without logging off. And prior his travel he also changed his password. While a daily unlocking by the helpdesk helped him to achieve his daily work, the training machine where he was logged onto would try to authenticate at the DC (with a previously cached password) and lock him out.

This really demonstrates some issues of Windows Logon management (Active Directory based aka the ms windows directory service). And here I am thinking of logon/logoff control. It would have helped in this case to know where his account was currently logged to. If you wanted to do so you would have to collect logs of all workstations or other resource machines.

The Microsoft directory doesn’t allow concurrent logon control. Well there are some tools given by Microsoft to manage this but so far my tries to make them work were unsuccessful (cconnect). Because when logging the directory only checks the validity of the logon, this doesn’t allow to make any reporting of who is logged where and for how long. This limits somehow your (system admins) ability to control credential sharing issues or just to enforce accountability for users action on different machines.

Those are not the only lacks of the Windows directory. Along with the lack of logon/logoff reporting, there is no session control on workstation. Of course as an Domain Admin you can log off someone but this is a tedious task if you had to logoff 100 users for security reasons. A little logon session monitoring would be helpful as for now you would have to check open session on several servers to do so and DCs do not keep track of current logon sessions anyway.

With that we can also talk about the fact that there is no automated way to logoff users on unattended workstations. And without saying anything about the fact that it is good to free up resources I see it as a threat as a terminated users that left his workstation locked would be able to unlock it – even if this user account is now gone from AD or just disabled.

The only manageable part of logon with Windows directory is time of logon and and workstations logon permission. However this is only feasible by user only. This doesn’t make management easy and it would be interesting to be able to control those restriction per groups.

Yet, Windows Directory is pretty comfortable to manange and use but it could use some more logon controlling to enforce more security and control over users/hackers attempts/mistakes with logon.

Note: I have limited hands on windows 2008 servers but I don’t remember seeing too much changes as far as logon control goes. Please feel free to update!