bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 6s
Details

Browse Source
This commit is contained in:
Nicole Rappe
2025-07-16 01:15:24 -06:00
parent f9fdd1549d
commit f4755f2286
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
View File

@ -75,8 +75,11 @@ You will see a finalization screen confirming everything we have configured, it
### Role Deployment
Now that we have set up the root certificate authority, we can focus on setting up the subordinate CA.
!!! warning "Enterprise Admin Requirement"
When you are setting up the role, you **absolutely** have to use an Enterprise Admin account. This could be a service account like `svcCertAdmin` or something similar.
- Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**"
- Under credentials, let it automatically populate a domain admin. (e.g. `BUNNY-LAB\nicole.rappe`)
- Under credentials, enter the username for an Enterprise Admin. (e.g. `BUNNY-LAB\nicole.rappe`)
- Click "**Next**"
- Check the following roles (*we will add the rest after setting up the core CA functionality*)
- `Certification Authority`
@ -153,6 +156,13 @@ At this point, we will need to focus on getting the certificate signing request
- Right-click the CA node in the treeview on the left-hand sidebar (e.g. `BunnyLab-SubordinateCA-01`)
- Click on "**All Tasks" > "Start Service**"
- Verify that the CA status is now green (running).
### Certificate Template Permissions
Lastly, we need to adjust the security permissions of the "Domain Controller Authentication" template so that domain controllers have read permissions to the template.
- Right-Click ""**Certificate Templates**" > Manage
- Right-click "**Domain Controller Authentication**" > Properties
- Click on the "**Security**" tab
- Under the "Domain Controllers" permission, ensure that "Allow:Read" is checked, as well as "Enroll" and "Autoenroll", then click "OK"
## Create Auto-Enrollment Group Policy
The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*computers, including domain controllers*) to automatically request, renew, and install certificates from the Enterprise CA (in this case, the Subordinate CA `LAB-CA-02`).