.NET 4.5 Installation failed with error code: (0x800B010B), "Generic trust failure”

Microsoft .NET Framework 4.0 Updates/Patches might fail during installation with the following error message "Generic trust failure."

As per the install failure log:

                           

C:\4048b65f65ff4dcceb\NDP40-KB2656405.msp - Signature verification for file NDP40-KB2656405.msp (c:\4048b65f65ff4dcceb\NDP40-KB2656405.msp) failed with error 0x800b010e (The revocation process could not continue - the certificate(s) could not be checked.)

[8/9/2012, 9:55:26] c:\4048b65f65ff4dcceb\NDP40-KB2656405.msp Signature could not be verified for NDP40-KB2656405.msp

[8/9/2012, 9:55:26]No FileHash provided. Cannot perform FileHash verification for NDP40-KB2656405.msp

File NDP40-KB2656405.msp (c:\4048b65f65ff4dcceb\NDP40-KB2656405.msp), failed authentication. (Error = -2146762482). It is recommended that you delete this file and retry setup again.

[8/9/2012, 9:55:26]Failed to verify and authenticate the file -c:\4048b65f65ff4dcceb\NDP40-KB2656405.msp 

Final Result: Installation failed with error code: (0x800B010B), "Generic trust failure. "

 
                            

The above error code indicates the below information:

# for decimal -2146762482 / hex 0x800b010e

  CERT_E_REVOCATION_FAILURE                                     

# The revocation process could not continue - the

# certificate(s) could not be checked.

Make sure that the following registry key is set on the system:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State

If this setting still fails to install .NET then also make a change to the following registry key:

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State

The DWORD State value is 23c00.

............................................................................................................................................................

The above value indicates that revocation checks occur when validating the Authenticode digital signatures on downloaded programs and ActiveX controls.  You can find the settings from IE browser:

Tools, Internet Options, Advanced tab, you will find the two options which control revocation checking. Check for server certificate revocation controls whether revocation checks occur for HTTPS connections. Check for publisher’s certificate revocation controls whether revocation checks occur when validating the Authenticode digital signatures on downloaded programs and ActiveX controls.

How to Fix Windows 7 Temp Issue on Workgroup and Domain Environment

1) Before do anything, restart the computer 2 or 3 times to see whether it’s going back to your old correct profile. Go to next step if this doesn’t work.

2) Rename the temp profile registry and revert back the old registry settings for the correct profile. This method works most of the time for me in Workgroup and domain environment.
a)      Log in with temp profile.
b)      Start registry editor by typing regedit in find box of Windows 7.
c)      Navigate the following location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

d)      You will see similar keys under profile list, but one with .bak, as shown below.

S-1-5-21-3638959669-675261535-3562552805-1000.bak = Correct profile

e)      The key with .bak is for the correct old profile. Currently your Windows 7 computer logged in with fresh (temporary) profile with same key. So, rename the new profile key ( which is not having.bak) and remove .bak from correct profile key. See below.

f)      That’s it. Log off and log in (or restart) with your user name and password. You must get your correct profile with icons and profile settings back in Windows 7, if you are lucky enough.
Still if Windows 7 computer loads with temporary profile and creates a registry key with .bak, that means user profile is really corrupted and Operating System is not reading it properly.


3) Few times this method worked for me,  repair the corrupted files. Usually the corrupted ‘Ntuser’ files cause this issue. So, run the check disk for partition which is having user profile.

After restarting for check disk, if you see corrupted entries and repairing process inside your user profile folder, then you can hope for good news here. If it finds and repairs any files especially Ntuser files, you may get your old Windows 7 profile back.

If above steps do not help you out, then we need to create a new profile with new user name.
Basically we need to create a new user account, login with it and transfer the data from old user profile to new user profile. It is easy in workgroup environment as you can create new user name locally, but it is tricky in domain environment. Because, the existing user account is already there on domain server and nothing wrong with it. Also, creating a new different domain user account will cause issues on corporate emails, domain groups membership and shared permissions.
So, we need to treat both cases separately.

4) Create new user name in non domain (workgroup environment) from control panel or computer management.  Make sure to add the new user to administrators group.
Login with new user name and start copying your old data from old profile. I normally copy below data,
a) My Documents (Music, videos and downloads)
b) Desktop
c) Favorites
d) Any outlook PST files (find more information about location of PST files here)
But Microsoft suggests to copy entire old user profile (except 3 files) as shown in this official site link.

5) New user profile in domain environment.
Since we can’t delete and create new domain user account for this purpose, we will play around with client computer only. Let’s completely remove the user profile and re create again.
Copy the important user data (a to d in above step 4) or entire folders from corrupted profile to new location. Double-check that you have copied all required folders and files from old profile, because we are going to delete it now.

Go to Advanced settings of System as shown below, click on Settings (user profiles), select the corrupted user profile which is not loading properly in Windows 7, then press Delete button. Delete button will be enabled only if you login with different user account.



This will remove the entire user profile and related user SID from computer including the registery keys we talked about earlier. You can cross check the proper removal of user account (SID) by checking the C:\Users folder. Once it is remove properly, restart the computer and login with same user name (which was not loading earlier). The computer should create a new user profile as this is the first time the user is logging on. You need to copy back your old important data to new profile and set email outlook etc..if required.
I hope these tips help to fix temporary profile issue on Windows 7.

Removing a failed DC from Active Directory

When you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed (the reasons for your failure are not important for the scope of this article), you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the Dcpromo wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed Dcpromo attempt might leave these objects in place.

The effects of leaving such remains inside the Active Directory may vary, but one thing is sure: Whenever you'll try to re-install the server with the same computername and try to promote it to become a Domain Controller, you will fail because the Dcpromo process will still find the old object and therefore will refuse to re-create the objects for the new-old server.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object.

If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller. If you will give the new domain controller a different name, then you need to perform all three procedures: clean up metadata, remove the failed server object from the site, and remove the computer object from the domain controllers container.

You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers. Also, make sure that you use an account that is a member of the Enterprise Admins universal group.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

To clean up metadata

1. At the command line, type Ntdsutil and press ENTER.

C:\WINDOWS>ntdsutil
ntdsutil:

2. At the Ntdsutil: prompt, type metadata cleanup and press Enter.

ntdsutil: metadata cleanup
metadata cleanup:

3. At the metadata cleanup: prompt, type connections and press Enter.

metadata cleanup: connections
server connections:

4. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.

server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

5. Type quit and press Enter to return you to the metadata cleanup: prompt.

server connections: q
metadata cleanup:

6. Type select operation target and press Enter.

metadata cleanup: Select operation target
select operation target:

7. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.

select operation target: list domains
Found 1 domain(s)
0 - DC=Microsoft,DC=com
select operation target:

8. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.

select operation target: Select domain 0
No current site
Domain - DC=Microsoft,DC=com
No current server
No current Naming Context
select operation target:

9. Type list sites and press Enter.

select operation target: List sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=microsoft,DC=com
select operation target:

10. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.

select operation target: Select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
Domain - DC=Microsoft,DC=com
No current server
No current Naming Context
select operation target:

11. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.

select operation target: List servers in site
Found 2 server(s)
0 - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
1 - CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
select operation target:

12. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.

select operation target: Select server 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
Domain - DC=Microsoft,DC=com
Server - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
 DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
 DNS host name - server200.microsoft.com
 Computer object - CN=SERVER200,OU=Domain Controllers,DC=Microsoft,DC=com
No current Naming Context
select operation target:

13. Type quit and press Enter. The Metadata cleanup menu is displayed.

select operation target: q
metadata cleanup:

14. Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

metadata cleanup: Remove selected server
"CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=com" 

removed from server "server100"
metadata cleanup:

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.

15. Type quit, and press Enter until you return to the command prompt.

To remove the failed server object from the sites

16. In Active Directory Sites and Services, expand the appropriate site.
17. Delete the server object associated with the failed domain controller.

To remove the failed server object from the domain controllers container

18. In Active Directory Users and Computers, expand the domain controllers container.
19. Delete the computer object associated with the failed domain controller.

20. Windows Server 2003 AD might display a new type of question window, asking you if you want to delete the server object without performing a DCPROMO operation (which, of course, you cannot perform, otherwise you wouldn't be reading this article, would you...) Select "This DC is permanently offline..." and click on the Delete button.

21. AD will display another confirmation window. If you're sure that you want to delete the failed object, click Yes.

To remove the failed server object from DNS

22. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.
23. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.

24. If you have reverse lookup zones, also remove the server from these zones.

Other considerations
Also, consider the following:

• If the removed domain controller was a global catalog server, evaluate whether application servers that pointed to the offline global catalog server must be pointed to a live global catalog server.
• If the removed DC was a global catalog server, evaluate whether an additional global catalog must be promoted to the address site, the domain, or the forest global catalog load.
• If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
• If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
• If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

CertUtil commands for Certificate Authorities

View Intermediate CA certificate store

To view the content of the client computer’s Intermediate Certification Authorities certificate store, type the following command at a command-line prompt.

C:\Windows\System32>certutil -enterprise -viewstore CA

View NTAuth Container

To view the content of the NTAuth container in AD DS for a domain named Corp.contoso.com, you would type the following command on a single line and press ENTER:

C:\Windows\System32>certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"

  NTAuth update

To update the content of the NTAuth container in AD DS for a domain controller, you would type the following command on a single line and press ENTER:

C:\Windows\System32>certutil -dspublish -f "the_certificate" NTAuthCA

View Trusted Root CAs

To view the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.

C:\Windows\System32>certutil -enterprise -viewstore Root

Add Trusted Root CAs

To add certificates of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.

C:\Windows\System32>certutil -addstore Root "Certificate name"

View Domain Controller cert status

To view the status of the Domain Controller certificates, type the following command at a command-line prompt.
C:\Windows\System32>certutil -dcinfo verify

Check Domain Controller cert revocation status

To check for these conditions:

• Open the certificate, click on the details tab, and select "Copy to file" to export the certificate (DER format is fine). At the command prompt, run:
  C:\Windows\System32>Certutil -verify -urlfetch SERVER.cer

2008 DC Status Unavailable when changing directory servers

Problem:

Hello, while upgrading our Active Directory infrastructure to Server 2008 R2 I noticed whenever I right click on my domain, from one of the roles, and choose "Change Domain Controller", and the change Directory Server menu comes up it shows one of my W2K8 DC's status as being "Unavailable", Why is that? It does not prevent me from managing them or performing any function that i know of. I have the firewall's off thinking it was some kind of SNMP traffic but that didn't change anything.



Resolved:

This "status unavailable" can occur if you have disabled the IPv6 bindings on your NICs but not disabled IPv6 components. You can disable IPv6 components by editing the registry by enabling the following. NOTE: Always backup your registry in case something goes wrong! If you feel comfortable enough that you are capable, then go for it, otherwise let a good SysAdmin do the work!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters

REG_DWORD: DisabledComponents, 0xFFFFFFFF (4294967295)

Removing a trusted Certificate Authority from “Trusted Root Certification Authorities” certificate store in Active Directory

Problem
You have previously deployed multiple Active Directory Enterprise Root Certificate Authorities in the domain and because you’ve had to redeploy the CA a few times using the same name, you notice that your domain joined workstations and servers now have multiple root certificates stored in the Trusted Root Certification Authorities certificate store:


Solution
I was unsure as to whether there was an easy way to remove these root certificates in the Trusted Root Certification Authorities certificate store so I went ahead and reached out to our Microsoft partner support and the response I received was to review the following KB article:
How to remove a trusted Certificate Authority from computers in the domainhttp://support.microsoft.com/kb/555894
The article’s instructions appear to be pretty straight forward as it demonstrates the user of a batch file and script to automate the process:


The first step was to download the following SDK:
Download:  Platform SDK Redistributable: CAPICOMhttp://www.microsoft.com/en-us/download/details.aspx?id=25281
The problem I immediately noticed was that there were a few typos in the script (namely the removeca.vbs filename):




… and when I finally launched it on a Windows 7 64-bit desktop, it would error out with:

C:\Temp\RemoveCA>c:\windows\system32\regsvr32 capicom.dll /s
C:\Temp\RemoveCA>cscript remove.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
C:\Temp\RemoveCA\remove.vbs(13, 1) Microsoft VBScript runtime error: ActiveX com
ponent can't create object: 'CAPICOM.Store'
C:\Temp\RemoveCA>


Since it looks like Microsoft suggests to use logon scripts to clean up these root certificates, I simply went ahead and looked into using the certutil.exe command to remove certificates and then created a simplified batch file to remove the entries.
The first step was to determine the right syntax and it took quite a bit of time because I did not find the following TechNet article too straight forward:
http://technet.microsoft.com/en-us/library/cc732443(v=ws.10).aspx
In any case, the proper syntax is the following:
certutil -delstore -enterprise root "<Serial number>”
The command above will remove the certificate located in the Trusted Root Certification Authorities Computer Store of the workstation you execute this command.  To determine the serial number, simply open up the certificate’s properties and navigate to the Details tab, then select the Serial number field as such:


Copy the serial number and slot it into the end of the command added quotes:
certutil -delstore -enterprise root “5f 92 5c 79 5a 90 49 bc 4e e7 f7 96 fb c7 de 62”


Once the command successfully executes (it doesn’t take long), you will see the following output:
C:\>certutil -delstore -enterprise root "5f 92 5c 79 5a 90 49 bc 4e e7 f7 96 fb c7 de 62"
root
Deleting Certificate 5
CertUtil: -delstore command completed successfully.
C:\>
Proceed with testing this on a workstation with all of the certificates you intend on deleting one after another and copying and pasting the command into notepad as such:
certutil -delstore -enterprise root "55 8c 2e b5 cc ae 92 89 41 5b 25 33 f7 ef 6c 2e"
certutil -delstore -enterprise root "79 7a f4 a9 9e 81 79 ba 44 b5 91 bc 85 d0 b0 df"
certutil -delstore -enterprise root "58 35 46 65 2a 6e 47 93 48 31 62 3a 49 83 eb 24"
certutil -delstore -enterprise root "27 77 84 a8 49 39 3c b2 4e c7 e9 47 8f 1b 52 60"
certutil -delstore -enterprise root "58 ed e0 1e 68 68 06 a2 4b d3 14 5d 11 f2 7a 85"
certutil -delstore -enterprise root "2e cc 73 20 fe 05 0a 88 44 d8 fb 3a 96 1a 99 5a"
certutil -delstore -enterprise root "25 a5 76 4c c6 fb ca 8a 4d c1 bd 46 e4 9c 3c 37"
certutil -delstore -enterprise root "60 15 e8 95 34 09 ff a3 42 16 26 9a fc fd 67 29"
certutil -delstore -enterprise root "5f 92 5c 79 5a 90 49 bc 4e e7 f7 96 fb c7 de 62"


Once you have removed all of the certificates, save the notepad file as a batch file then take it to another workstation to execute verifying that all of the certificates you intend on deleting are removed.  Once you have validated that the batch file works as intended, proceed with creating a new GPO in your Active Directory and apply it to the OU with the workstations you want the certificates removed:


Note that I applied this batch file to the following policy setting:

Computer Configuration –> Policies –> Windows Settings –> Scripts –> Startup

Hope this helps anyone looking for a way to clean up their root certificates.

Configuring KMS Server for Windows Server 2008 R2, Windows 7, and Office 2010 Enterprise Sites

Thanks to PeteNetLive for this write up. Because of the environment I work in I couldn't produce any screen shots..his write provided them! good job!

Given the amount of deployments I do, it's surprising that I don't use KMS more often. Like most technical types, I find a way that works for me, and that's the way I do things from then on. However these last few weeks I've been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the "Administrators" of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough "I'm putting in a KMS Server!"

I'm deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it's more difficult to find out how to deploy a KMS server, than it actually is to do. I've gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I've outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for "Windows Server 2008 Std/Ent KMS B"

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I'll cover that below).

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click "Computer" > Properties. (Or Control Panel > System). Select "Change Product Key" > Enter the new KMS Key > Next.

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can't get it to work over the internet you can choose to do it over the phone.

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the "Key Management Service", (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall" > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

That's It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I'm running these commands from command windows running as administrator (Right click "Command Prompt" > Run as administrator).

1. Locate your "Windows Server 2008 Std/Ent KMS B" Key > From command line issue the following command;

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I'll cover that below).

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

3. Now we need to activate the Windows Server > Run the following command;

c:\Windows\System32\slui.exe

Select "Activate Windows online now" > Follow the on screen prompts.

4. When complete, it should tell you that it was successfully activated.

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the "Key Management Service", (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall" > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

That's It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand "Forward Lookup Zones" > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

2. From your client machines you can test that they can see the SRV record, by running the following command;

nslookup -type=srv _vlmcs._tcp

Note: If this fails, can your client see the DNS server? And is it in the domain?

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

cscript c:\Windows\System32\slmgr.vbs /dli

4. As I've mentioned above, with Windows clients you need 25, and Windows Servers you will need 

5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

5. For each of these failures, look-in the KMS Server, and the "Current count" will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

 

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

cd c:\windows\system32
slmgr /dli

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for "Office 2010 Suites and Apps KMS"

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the "Microsoft Office 2010 KMS Host License Pack".

3. When prompted type/paste in your "Office 2010 Suites and Apps KMS" product key > OK.

4. It should accept the key.

5. Press {Enter} to close.

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /act

 

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /act