Introduction
I was working with a customer recently who could not get clients or servers at a new remote site to activate using Active Directory Based Activation (ADBA). They were getting event ID 8214 as in the image below.
Notice in the above where I bold the computer name Client1.Child1.Contoso.local. This means that Client1 is in a Child Domain called Child1 of Contoso.local. A client activates as follows:
- The client Query’s a local domain controller in it’s current domain which is Child1.Contoso.local
- It finds the forest configuration container and drills down to the Activation Object such as the one displayed in the picture above after AO DN.
- Then it tries to connect to the forest root domain to activate the client.
- If the client connects to the forest root domain then activation starts.
- If the client cannot connect to the forest root domain ADBA fails and event ID 8214 is logged to the application log on the client.
- The client then tries to find a KMS server.
- If a KMS server is available then activation starts.
- If no KMS server exists the client fails activation.
Description of Issue
If you see the event ID 8214 logged then ADBA failed. The most common reason for this is the client subnet does not have the required ports open to the forest root domain. See port list below:
| Client Port(s) | Server Port | Service |
|---|---|---|
| 49152 -65535/UDP | 123/UDP | W32Time |
| 49152 -65535/TCP | 135/TCP | RPC Endpoint Mapper |
| 49152 -65535/TCP | 464/TCP/UDP | Kerberos password change |
| 49152 -65535/TCP | 49152-65535/TCP | RPC for LSA, SAM, Netlogon (*) |
| 49152 -65535/TCP/UDP | 389/TCP/UDP | LDAP |
| 49152 -65535/TCP | 636/TCP | LDAP SSL |
| 49152 -65535/TCP | 3268/TCP | LDAP GC |
| 49152 -65535/TCP | 3269/TCP | LDAP GC SSL |
| 53, 49152 -65535/TCP/UDP | 53/TCP/UDP | DNS |
| 49152 -65535/TCP | 49152 -65535/TCP | FRS RPC (*) |
| 49152 -65535/TCP/UDP | 88/TCP/UDP | Kerberos |
| 49152 -65535/TCP/UDP | 445/TCP | SMB (**) |
| 49152 -65535/TCP | 49152-65535/TCP | DFSR RPC (*) |
Reference: https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
Solution
To resolve the ADBA 8214 issue open up the required ports from your client and server subnets to the forest root domain. Your clients will then begin using Active Directory base Activation.
