Authentication for multiple AD domains

Similar Messages

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Use single sign on for multiple portal domains

  Is it possible for a user to sign on once to a domain, and then be able to access other domains. What I'm trying to do is have one user registration page/login page, but use different portal server domains to present different sites, while at the same time having a type of single sign on, once a user has entered his credentials. Thus my registration process will create a new ldap user in an external directory, and i can then just point all the different domains to that External Ldap directory.

  I wouldn't recommend this because it would affect performance plus there are potential other issues like conflict that you would run into ..
  Everytime a user logs into a new session is created for him and this means a user might have multiple sessions on the server. The cookie that is also set is dependent on per portal domain so it might not work ..
  An alternative approach might be to have multiple roles and then customize the role for different views. You can modify the membership code in such a way that based on certain criteria you can assign him to a particular role, equivalent to your domain. However the problem could be if you want to provide delegated admin, currently the delegated admin is only at a domain level.

• Proxy authentication for multiple users

  Hi, I'm hoping someone can help me out with the following situation.
  I need to deploy a number of iPads to students.
  An iPad may be used by more than 1 student.
  Our network requires authenticating against our proxy server to allow internet access.
  I do not want to cache the credentials of a user.
  Is there a way to 're-authenticate' access to the proxy?
  What is the best way of deploying iPads with multiple users?

  Thanks for posting the link. I have seen it, however I did notice some helpful information towards the bottom of the document.
  Unfortunately though, I didn't answer my question.
  Yes, I want the proxy credentials to be required every time they go on the internet. (Even if it's just Safari, and I can push all other access (apps etc) through a transparent proxy.
  Either way, the proxy credentials need to be renewed frequently, as the device may be used by multiple people throughout the day.

• Authentication for multiple services

  I wanna setup a bunch of web services (squirrelmail, blojsom blog, dokuwiki wiki, and an online calendar system - if i can find one). Obviously, I want to make these private, so only employees see them. All of these require separate authentication. Is there a way I can use one login/pass for all these, so they don't have to keep logging in to each individual service? like they go to:
  domainname.com/services
  and then login, and all their stuff is available.
  Any hints?

  I wanna setup a bunch of web services (squirrelmail, blojsom blog, dokuwiki wiki, and an online calendar system - if i can find one). Obviously, I want to make these private, so only employees see them. All of these require separate authentication. Is there a way I can use one login/pass for all these, so they don't have to keep logging in to each individual service? like they go to:
  domainname.com/services
  and then login, and all their stuff is available.
  Any hints?

• Authentication with Multiple SSIDs AP521G, using Autonomous

  I have an AP521G access point that I am trying to setup authentication for multiple SSIDs. One SSID is for domain users with WPA/TKIP authentication to a radius server and the other SSID is for guest to have access to Internet with no authentication. Is there a way to setup both SSIDs on the AP for this configuration?

  Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.

• In RSA Authentication Manager 7.1, how create multiple security domains

  Hi,
  RSA Authentication Manager 7.1 in configured with LDAP(Sun java system directory server); how create multiple security domains 7.1, is this security domains is releted to LDAP?
  thanks

  I think what you need to do is create an identity sequence with RSA as the selection in
  Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

• "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Kpdn, 
  Thanks for your post.
  All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Windows Native Authentication with 2 (multiple) AD domains

  I have managed to get Windows Native Authentication for Oracle Application Server 10g (9.0.4) on Windows working. The following has been done and works in a test environment:
  Phase 1) Active Directory (AD) to Oracle Internet Directory (OID) Synchronization
  Phase 2) Configure a Kerberos Service Account for the Single Sign-on
  Currently all the above setup points to a single windows active directory server, i.e. active1.uk.oacle.com. This is acceptable for a test environment, but before the changes can be deployed to production I need to incorporate some disaster recovery.
  The active directory is replicated across multiple servers – i.e. active1.uk.oacle.com, active2.uk.oacle.com. In the event that the primary active directory server is unavailable Oracle users should still be able to access applications. I need to incorporate active2.uk.oacle.com into the above setup.
  Questions:
  1)Can I get away with not incorporating active2.uk.oacle.com into phase 1. If the users have been pulled into OID then we are not particular concerned with pulling in new users in a disaster situation.
  2)Can I configure the Oracle side of the Kerberos setup to use multiple realms with an order or precedence – i.e. try active1.uk.oacle.com, then try active2.uk.oacle.com. I would generate a keytab file from each server.
  Ideally I would like to just modify the Kerberos setup to check active1.uk.oacle.com then active2.uk.oacle.com. Is this a workable approach? If yes how do I proceed? I believe the krb5.ini and opmn.xml need to be amended.
  Thanks

  Does anyone have any ideas on how to do this????

• Authentication using multiple domains

  We've got a rather complicated configuration scenario here and I need to understand what would need to happen to put this in place, or if it can even be accomplished at all.
  We are on Business Objects XIR2 SP3 in a Windows 2003 environment. We are currently using Trusted Authentication with a 3rd party web security component (ISAPI filter) running on our IIS box, however our Web Intelligence implementation is actually done in Tomcat, which is connected to the IIS box simply using the IIS to Tomcat connector (also an ISAPI filter). We currently have the LDAP plugin configured to hit an ADAM directory server, however we are rewriting our web security solution with an AD back end. The AD back end may possibly have two different domains involved, one for internal users and one for external users. I would need to be able to authenticate users from both domains, and have all the other pieces and parts continue to work as far as authentication goes (ADAM via LDAP, trusted authentication for the thin client interface using the WEB_SESSION approach, and both AD directories with usres in each all able to authenticate to the tool set).
  First, can you tell me if it's even possible to accomplish this? And second, if it is, what kind of trust relationship does there need to be, if any, between the internal and external users AD domains? I ask because I see only one place to set up an SPN, and there are specific application server services that have to be configured to run as that given service account, so I'm assuming there has to be some sort of trust relationship there since our application servers are all installed in one of those domains.
  Thanks,
  V

  These questions keep getting more complicated
  Your domain situation depends on 2 things. If internal and external are 2 domains in the same AD forest(trust is automatic this way) then it should work fine (provided you aren't firewalling off the users as internal/external could imply).
  If they are not in the same forest then you would need a 2-way transitive trust, no firewalling, and XI 3.1 in order to map groups/users from both domains into 1 plugin (this would require the AD plugin).
  Another option might be to use the LDAP plugin for 1 forest and AD plugin for the other but that would kill your existing users. This is your only option in XIR2 if you have 2 forests.
  Regards,
  Tim

• DNS for Multiple Domains

  I am trying to figure out the proper configuration for DNS that will support multiple domains. I have DSN working now for just one domain.
  My XServe has a static IP connected directly to cable modem and is the master nameserver. I also have an Ubuntu server with static IP connected directly to cable modem that is the secondary (slave) nameserver.
  On the XServe, I currently have a primary zone created for domain1.com. with:
  * an A record for domain.com. (Fully Qualified) and the same static IP as the XServe
  * an A record for ns1 (not fully qualified) and the same static IP as the XServe
  * Aliases for ftp, www and mail (not fully qualified) mapped to destination ns1.domain1.com. (Fully Qualified)
  Nameservers under the Primary Zone is ns1.domain1.com. and Mail Exchangers is ns1.domain1.com. with a priority of 10.
  The reverse zone is getting created appropriately for me as far as I can tell. I am able to access www.domain1.com just fine as well as mail and ftp.
  Now I want to add a new domain2.com to this master nameserver. I know that I will need a new Primary Zone for domain2.com. to be recognized and to setup it's aliases?
  Can I use the same static IP or do I have to have a unique static IP?
  Can I use the ns1.domain1.com. nameserver or does the new domain2.com need new nameservers?
  Does domain2.com have it's own A records?
  Does the mail exchangers need to be different for domain2.com?
  It seems like all the documentation and information that I can find are just for configuring one domain and not so much for multiple domains. Any help would be greatly appreciated.
  Spotted Dog

  Don't think of subsequent domains as being any different from the first domain.
  For every domain you need to provide certain information, including a list of the hostnames within that domain. There is no relationship between 'www' in domain1.com and 'www' in domain2.com (unless you point them to the same address, but that's a different issue).
  Any host record in the zone can either be an A record (where you specify an IP address) or a CNAME (where you specify another hostname that it maps to).
  In the case of your web server handling both domains you could set 'www.domain2.com' as an A record with the appropriate IP address, or you could set it as a CNAME with a value of 'www.domain1.com.' (essentially saying 'www.domain2.com has the same IP address of www.domain1.com, so go find that address').
  It's also possible to use cross-domain records for things like name servers and mail servers - in other words you can set your MX record for domain2.com to mail.domain1.com (essentially saying that domain2.com's email is handled by mail.domain1.com).
  Can I use the same static IP or do I have to have a unique static IP?
  That's not a question for DNS. What you're defining are the hostnames in that domain. If you have one server (e.g. a web server) that can handle multiple domains (e.g. one apache server handling web traffic for both domain1.com and domain2.com) then, sure, you can use the same IP address for both.
  If, on the other hand, you have specific services that cannot be multi-hosted (e.g. HTTPS) then you will need different IP addresses.
  Can I use the ns1.domain1.com. nameserver or does the new domain2.com need new nameservers?
  Sure, it's entirely possible to use domain1.com's name servers for domain2.com.
  Does domain2.com have it's own A records?
  It can do, or not, as you choose. If you're running www.domain2.com on the same server as www.domain1.com then you could use a CNAME record to point www.domain2.com to www.domain1.com.,or you could set an A record with the same IP address.
  The result would be the same, but the CNAME has the advantage that if your IP address changes you only need to change your DNS in one place (www.domain1.com) and all the other addresses would automatically follow.
  Does the mail exchangers need to be different for domain2.com?
  Not at all, if your mail server is configured to handle mail for both domains it's entirely possible to specify mail.domain1.com as the MX record for domain2.com.

• Creating Iweb seperate domains for multiple sites DIDNT WORK

  Hi! Any help would be much appreicaited!
  I am creating mutiple websites in iWeb 09'. All 3 of my websites have been stored under 1 domain file on my mac. I have read numerous discussion boards stating the steps of how to seperate each of the created sites from the one domain file, into mutiple domain files. I followed the steps on this website :
  http://lmsdiweb.wikispaces.com/Saving+Locally
  I moved the Domain folder out of its original location into a new folder on my harddrive entitled "Sites". Then i made sub folders within that folder and duplicated the domain 3 times and placed each copy in those folders. then i double clicked on the domain for my 1st site, opened iWeb, and then deleted the other sites i did not want on this new "domain" file i created and hit saved. This is exactly what the website said to do to create the seperate domain files for each seperate site. It then said repeat for each site, deleting the sites that are not needed on that domain.
  All of that being said, it didnt seem to work when i tried to open the 2nd copy of the domain. When iWeb opened after double clicking the 2nd domain copy, it did not open and show me all 3 sites as it should have, it opened to show me the one site that i just "saved" after deleting the other sites for the previous domain i was trying to create.
  I'm afraid i posisbly lost my other 2 sites. I backed up my first initial "domain" file which had all 3 sites within it on my external hard drive, and when i double clicked on that to make sure my sites weren't lost forever, same thing happened and only my lastest site that i saved on the 1st attempt to seperate domain files is visable on my iWeb.
  Did i loose everything i created in my other 2 sites? How do i get them back? What did i do wrong? Any help is much appreiciated as i have a feeling i might have made a serious mistake and need some help figuring this all out!
  Thank you!
  Also, I published all of my sites "to a folder" on my hard drive before doing this as well. Is there any way to take the published folder contents and put my site back on iweb for editing again?

  With three sites in a domain file here's how I would do it.  Create 3 copies of your domain file and name them for the three website, i.e "website1.sites, website 2.sites, etc.
  With the application discussed in the text below open website1.sites and delete website 2 and website 3 from it and save.  Open website 2.sites and delete 1 and 3.  Do the same for website 3.sites. 
  Then use the application mentioned below to open iWeb and select the website you want. 
  In Lion and Mountain Lion the Home/Library folder is now invisible. To make it permanently visible enter the following in the Terminal application window: chflags nohidden ~/Library and hit the Enter button - 10.7: Un-hide the User Library folder.
  To open your domain file in Lion or Mountain Lion or to switch between multiple domain files Cyclosaurus has provided us with the following script that you can make into an Applescript application with Script Editor. Open Script Editor, copy and paste the script below into Script Editor's window and save as an application.
  do shell script "/usr/bin/defaults write com.apple.iWeb iWebDefaultsDocumentPath -boolean no"delay 1
  tell application "iWeb" to activate
  You can download an already compiled version with this link: iWeb Switch Domain.
  Just launch the application, find and select the domain file in your Home/Library/Application Support/iWeb folder that you want to open and it will open with iWeb. It modifies the iWeb preference file each time it's launched so one can switch between domain files.
  WARNING: iWeb Switch Domain will overwrite an existing Domain.sites2 file if you select to create a new domain in the same folder.  So rename your domain files once they've been created to something other than the default name.
  NOTE:  iWeb 2 is not compatible with Mt. Lion and has trouble saving to the hard drive.  It's suggested you obtain iWeb 3
  OT

• Single login for multiple domains

  Can anyone point out a blog or post of a single login for
  multiple domains? For example, let's say I own asite.com and
  bsite.com.
  I want a user who logins to asite.com to also be logged into
  bsite.com if they visit that site. BSite.com is clearly a microsite
  of asite.com but we'd like to continue to use that domain if the
  visitor is on that site instead of redirecting them to keep login
  credentials
  Thanks

  If you're using cookie based login system, I'd imagine you
  could set a cookie to be valid for both of your sites.
  <cfcookie name="myAuthcookie" value="myAuthValue"
  domain=".asite.com;.bsite.com">
  That way both asite.com and bsite.com can read your cookie.
  Note the notation; always include the preceeding dot in the domain
  values. (two dots for top level domains, etc.)
  Strangely CFCOOKIE documentation doesn't mention anything
  about using semicolon separating multiple domains. It did in CF5
  documentation, but not since.

• Mailman v3 implementation of support for multiple domains

  Mailman has evolved to support listserve names for multiple domains (think VH for listserves). At what point can we see Apple roll this kind of management into the existing product? It would be fabulous to give VH clients the ability to have their own 'branded' listserve experience rather than one with our default domains
  Server Group -- please update Mailman when more pressing bug fixes are out of your way. Thank you!

  Alex,
  Thanks. I know that it can be done via the CLI, but once again we see where alterations done in the CLI will immediately require abandoning the SA as an admin tool. We're trying to encourage Apple to not create this paradox, or rather, to evolve the GUI admin toolset. I was recently at a Leopard Server tour seminar where the field engineer and I discussed this very feature. His comment to me was essentially 'many of the tools in the Server are based on open source projects, so you can simply download the latest update, compile it and configure it for the server ... but you won't be able to use the admin tools we provide." He's accurate, and if I was the only one admin'ing my machines, that might be a temporary solution to this particular small issue. But it immediately brings to mind the reflex question of 'so why did I buy Leopard server?
  This is a matter of Apple needing to provide sufficient resources to the Server group to grow the product. Whether that means some new hiring, or not pulling engineers off for other product lines, or a different management paradigm. We shouldn't purchase a server product that is touted as an enterprise-class solution when it may only have a bare framework for the offered toolsets. If growing the toolset to match what is already offered in the open source world (for that particular product) requires abandoning the server tools, then there's a bit of a vision problem with the Server product.
  Sorry, -- I didn't mean to get on a soap box. You and I are here to learn and help others. I know you aren't part of Apple any more than I am. I do hope Apple engineers are given some time to peruse this board and mine it for ideas, or gauge the effectiveness of their solutions based on the questions and solutions posed here.
  With Mailman 3 so far along in development (VH support was added in October), is Apple culling the very best from it for their user base (and adjusting the SA toolset accordingly)?

• Help Setup KMS on single domain and active for multiple domain another

  Hi all,
  I have a problem about configure DNS for KMS host. My company use a single domain "abc.com". But I must mange more than 10 company different and they use another domain and dns running independently, they have a one lease line connect them together.
  My challenge is how to active all client on more than 10 company. Any ideas is very appreciate.
  Please help.
  Thanks,

  That's a good article suggested by Meinolf, but it's a little outdated.
  For an updated guide for this:
  https://technet.microsoft.com/en-us/library/ff793409.aspx
  Publishing to Multiple DNS Domains
  By default, the KMS host is registered only in the DNS domain to which the host belongs. If the network environment has only one DNS domain, no further action is required.
  If there is more than one DNS domain name, you can create a list of DNS domains for a KMS host to use when publishing its SRV RR. Setting this registry value suspends the KMS host’s default behavior of publishing only in the domain specified as the Primary
  DNS Suffix.
  Optionally, add priority and weight parameters to the
  DnsDomainPublishList registry value for KMS. This feature enables you to establish KMS host priority groupings and weighting within each group to define which KMS host to try first and balance traffic among multiple KMS hosts.
  Note   DNS changes might not be reflected until all DNS servers have been replicated. Changes made too frequently (time < replication time) can leave older records if the change is performed on a server that has not been
  replicated.
  To automatically publish KMS in multiple DNS domains, add each DNS domain suffix to whichever KMS should publish to the multi-string registry value
  DnsDomainPublishList in registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform. After changing the value , restart the Software Licensing Service to create the SRV RRs.
  Note   This key has changed from the Windows Vista location of
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL.
  After configuring a KMS host to publish to multiple domains, export the registry subkey, and then import it in to the registry on additional KMS hosts. To verify that this procedure was successful, check the Application event log on each KMS host. Event
  ID 12294 indicates that the KMS host successfully created the SRV RRs. Event ID 12293 indicates that the attempt to create the SRV RRs was unsuccessful. For a complete list of error codes, see the
  Volume Activation 2.0 Operations Guide at
  http://technet.microsoft.com/en-us/library/cc303695.aspx.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)