Active Directory Based Activation (ADBA) Fails with Error: 0x8007202B

Introduction

I was working with a customer recently who could not get clients or servers at a new remote site to activate using Active Directory Based Activation (ADBA). They were getting event ID 8214 as in the image below.

Notice in the above where I bold the computer name Client1.Child1.Contoso.local. This means that Client1 is in a Child Domain called Child1 of Contoso.local. A client activates as follows:

  • The client Query’s a local domain controller in it’s current domain which is Child1.Contoso.local
  • It finds the forest configuration container and drills down to the Activation Object such as the one displayed in the picture above after AO DN.
  • Then it tries to connect to the forest root domain to activate the client.
  • If the client connects to the forest root domain then activation starts.
  • If the client cannot connect to the forest root domain ADBA fails and event ID 8214 is logged to the application log on the client.
  • The client then tries to find a KMS server.
  • If a KMS server is available then activation starts.
  • If no KMS server exists the client fails activation.

Description of Issue

If you see the event ID 8214 logged then ADBA failed. The most common reason for this is the client subnet does not have the required ports open to the forest root domain. See port list below:

Client Port(s)Server PortService
49152 -65535/UDP123/UDPW32Time
49152 -65535/TCP135/TCPRPC Endpoint Mapper
49152 -65535/TCP464/TCP/UDPKerberos password change
49152 -65535/TCP49152-65535/TCPRPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP389/TCP/UDPLDAP
49152 -65535/TCP636/TCPLDAP SSL
49152 -65535/TCP3268/TCPLDAP GC
49152 -65535/TCP3269/TCPLDAP GC SSL
53, 49152 -65535/TCP/UDP53/TCP/UDPDNS
49152 -65535/TCP49152 -65535/TCPFRS RPC (*)
49152 -65535/TCP/UDP88/TCP/UDPKerberos
49152 -65535/TCP/UDP445/TCPSMB (**)
49152 -65535/TCP49152-65535/TCPDFSR RPC (*)

Reference: https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

Solution

To resolve the ADBA 8214 issue open up the required ports from your client and server subnets to the forest root domain. Your clients will then begin using Active Directory base Activation.

Leave a Reply