排查 Azure Windows 虚拟机激活问题Troubleshoot Azure Windows virtual machine activation problems

如果无法激活通过自定义映像创建的 Azure Windows 虚拟机 (VM),可以参照本文档中介绍的信息来排查此问题。If you have trouble when activating Azure Windows virtual machine (VM) that is created from a custom image, you can use the information provided in this document to troubleshoot the issue.

了解用于对 Azure 虚拟机进行 Windows 产品激活的 Azure KMS 终结点Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines

Azure 使用不同的终结点进行 KMS(密钥管理服务)激活,具体取决于 VM 所在的云区域。Azure uses different endpoints for KMS (Key Management Services) activation depending on the cloud region where the VM resides. 使用本故障排除指南时,请使用适用于你所在区域的相应 KMS 终结点。When using this troubleshooting guide, use the appropriate KMS endpoint that applies to your region.

  • Azure 公有云区域:kms.core.windows.net:1688Azure public cloud regions: kms.core.windows.net:1688
  • Azure 中国世纪互联国家云区域:kms.core.chinacloudapi.cn:1688Azure China 21Vianet national cloud regions: kms.core.chinacloudapi.cn:1688
  • Azure 德国国家云区域:kms.core.cloudapi.de:1688Azure Germany national cloud regions: kms.core.cloudapi.de:1688
  • Azure US Gov 国家云区域:kms.core.usgovcloudapi.net:1688Azure US Gov national cloud regions: kms.core.usgovcloudapi.net:1688

症状Symptom

尝试激活 Azure Windows VM 时,会收到类似于以下示例的错误消息:When you try to activate an Azure Windows VM, you receive an error message resembles the following sample:

错误:0xC004F074 软件授权服务报告无法激活计算机。无法联系任何密钥管理服务(KMS)。有关其他信息,请参阅应用程序事件日志。Error: 0xC004F074 The Software LicensingService reported that the computer could not be activated. No Key ManagementService (KMS) could be contacted. Please see the Application Event Log for additional information.

原因Cause

通常情况下,如果未使用相应的 KMS 客户端安装密钥配置 Windows VM,或 Windows VM 与 Azure KMS 服务(kms.core.chinacloudapi.cn,端口 1688)的连接出现问题,便会出现 Azure VM 激活问题。Generally, Azure VM activation issues occur if the Windows VM is not configured by using the appropriate KMS client setup key, or the Windows VM has a connectivity problem to the Azure KMS service (kms.core.chinacloudapi.cn, port 1688).

解决方案Solution

备注

如果使用的是站点到站点 VPN 和强制隧道,请参阅 Use Azure custom routes to enable KMS activation with forced tunneling(使用 Azure 自定义路由通过强制隧道启用 KMS 激活)。If you are using a site-to-site VPN and forced tunneling, see Use Azure custom routes to enable KMS activation with forced tunneling.

如果使用的是 ExpressRoute 且已发布默认路由,请参阅能否阻止与连接到 ExpressRoute 线路的虚拟网络建立 Internet 连接?If you are using ExpressRoute and you have a default route published, see Can I block Internet connectivity to virtual networks connected to ExpressRoute circuits?.

步骤 1 配置相应的 KMS 客户端安装密钥Step 1 Configure the appropriate KMS client setup key

对于通过自定义映像创建的 VM,必须为 VM 配置相应的 KMS 客户端安装密钥。For the VM that is created from a custom image, you must configure the appropriate KMS client setup key for the VM.

  1. 在提升的命令提示符处,运行 slmgr.vbs /dlvRun slmgr.vbs /dlv at an elevated command prompt. 检查输出中的 Description 值,并确定它是通过零售(RETAIL 渠道)还是批量 (VOLUME_KMSCLIENT) 许可证介质创建的:Check the Description value in the output, and then determine whether it was created from retail (RETAIL channel) or volume (VOLUME_KMSCLIENT) license media:

    cscript c:\windows\system32\slmgr.vbs /dlv
    
  2. 如果 slmgr.vbs /dlv 显示 RETAIL channel,运行以下命令,以设置适用于所用 Windows Server 版本的 KMS 客户端安装密钥,并强制重试激活操作:If slmgr.vbs /dlv shows RETAIL channel, run the following commands to set the KMS client setup key for the version of Windows Server being used, and force it to retry activation:

    cscript c:\windows\system32\slmgr.vbs /ipk <KMS client setup key>
    
    cscript c:\windows\system32\slmgr.vbs /ato
    

    例如,对于 Windows Server 2016 数据中心,运行以下命令:For example, for Windows Server 2016 Datacenter, you would run the following command:

    cscript c:\windows\system32\slmgr.vbs /ipk CB7KF-BWN84-R7R2Y-793K2-8XDDG
    

第 2 步:验证 VM 与 Azure KMS 服务的连接Step 2 Verify the connectivity between the VM and Azure KMS service

  1. PSping 工具下载并提取到未激活的 VM 中的本地文件夹。Download and extract the PSping tool to a local folder in the VM that does not activate.

  2. 转到“开始”,搜索 Windows PowerShell,右键单击 Windows PowerShell,再选择“以管理员身份运行”。Go to Start, search on Windows PowerShell, right-click Windows PowerShell, and then select Run as administrator.

  3. 请确保 VM 已配置为使用正确的 Azure KMS 服务器。Make sure that the VM is configured to use the correct Azure KMS server. 为此,请运行以下命令:To do this, run the following command:

    Invoke-Expression "$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /skms kms.core.chinacloudapi.cn:1688"
    

    该命令应当返回以下内容:密钥管理服务计算机名称已成功设置为 kms.core.chinacloudapi.cn:1688。The command should return: Key Management Service machine name set to kms.core.chinacloudapi.cn:1688 successfully.

  4. 使用 Psping 验证是否已连接到 KMS 服务器。Verify by using Psping that you have connectivity to the KMS server. 切换到将 Pstools.zip 下载内容提取到的文件夹,再运行以下命令:Switch to the folder where you extracted the Pstools.zip download, and then run the following:

    .\psping.exe kms.core.chinacloudapi.cn:1688
    

    确保输出的倒数第二行显示以下内容:Sent = 4, Received = 4, Lost = 0 (0% loss)。In the second-to-last line of the output, make sure that you see: Sent = 4, Received = 4, Lost = 0 (0% loss).

    如果“Lost”大于 0(零),表示 VM 未连接到 KMS 服务器。If Lost is greater than 0 (zero), the VM does not have connectivity to the KMS server. 在这种情况下,如果 VM 位于虚拟网络中,并且指定了自定义 DNS 服务器,必须确保此 DNS 服务器能够解析 kms.core.chinacloudapi.cn。In this situation, if the VM is in a virtual network and has a custom DNS server specified, you must make sure that DNS server is able to resolve kms.core.chinacloudapi.cn. 或者,将 DNS 服务器更改为可以解析 kms.core.chinacloudapi.cn。Or, change the DNS server to one that does resolve kms.core.chinacloudapi.cn.

    请注意,如果从虚拟网络中删除所有 DNS 服务器,VM 会使用 Azure 的内部 DNS 服务。Notice that if you remove all DNS servers from a virtual network, VMs use Azure's internal DNS service. 此服务可以解析 kms.core.chinacloudapi.cn。This service can resolve kms.core.chinacloudapi.cn.

    另外,请确保到具有 1688 端口的 KMS 终结点的出站网络流量未被 VM 上的防火墙阻止。Also make sure that the outbound network traffic to KMS endpoint with 1688 port is not blocked by the firewall in the VM.

  5. 使用网络观察程序下一跃点验证从相关 VM 到目标 IP 42.159.7.249(适用于kms.core.chinacloudapi.cn)或适用于你区域的相应 KMS 终结点的 IP 的下一跃点类型是否为“Internet”。Verify using Network Watcher Next Hop that the next hop type from the VM in question to the destination IP 42.159.7.249 (for kms.core.chinacloudapi.cn) or the IP of the appropriate KMS endpoint that applies to your region is Internet. 如果结果为“VirtualAppliance”或“VirtualNetworkGateway”,则可能存在默认路由。If the result is VirtualAppliance or VirtualNetworkGateway, it is likely that a default route exists. 请与网络管理员联系并进行协作,以便确定正确的操作过程。Contact your network administrator and work with them to determine the correct course of action. 如果该解决方案与你组织的策略一致,则这可能是自定义路由This may be a custom route if that solution is consistent with your organization's policies.

  6. 验证成功连接到 kms.core.chinacloudapi.cn 后,在提升的 Windows PowerShell 提示符处运行以下命令。After you verify successful connectivity to kms.core.chinacloudapi.cn, run the following command at that elevated Windows PowerShell prompt. 此命令可多次尝试激活。This command tries activation multiple times.

    1..12 | ForEach-Object { Invoke-Expression "$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /ato" ; start-sleep 5 }
    

    如果激活成功,会返回如下信息:A successful activation returns information that resembles the following:

    正在激活 Windows(R),已成功激活服务器数据中心版本(12345678-1234-1234-1234-12345678) … 产品。Activating Windows(R), ServerDatacenter edition (12345678-1234-1234-1234-12345678) … Product activated successfully.

常见问题FAQ

我从 Azure 市场创建了 Windows Server 2016。I created the Windows Server 2016 from Azure Marketplace. 是否需要配置用于激活 Windows Server 2016 的 KMS 密钥?Do I need to configure KMS key for activating the Windows Server 2016?

否。No. Azure 市场中的映像已配置了相应的 KMS 客户端安装密钥。The image in Azure Marketplace has the appropriate KMS client setup key already configured.

无论 VM 是否使用 Azure 混合使用权益 (HUB),Windows 激活的工作方式是否都一样?Does Windows activation work the same way regardless if the VM is using Azure Hybrid Use Benefit (HUB) or not?

是的。Yes.

如果 Windows 激活已过期,会出现什么情况?What happens if Windows activation period expires?

如果宽限期已过期且 Windows 仍未激活,Windows Server 2008 R2 及更高版本的 Windows 会显示有关激活的其他通知。When the grace period has expired and Windows is still not activated, Windows Server 2008 R2 and later versions of Windows will show additional notifications about activating. 桌面壁纸会保持黑色不变,并且 Windows 更新会仅安装安全更新程序和关键更新,而不安装可选更新。The desktop wallpaper remains black, and Windows Update will install security and critical updates only, but not optional updates. 请参阅授权条件页底部的“通知”部分。See the Notifications section at the bottom of the Licensing Conditions page.

需要帮助?Need help? 请联系支持人员。Contact support.

如果仍需要帮助,可 联系支持人员 来快速解决问题。If you still need help, contact support to get your issue resolved quickly.