diff --git a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md index 5533ea3..36fff7f 100644 --- a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md +++ b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md @@ -75,8 +75,11 @@ You will see a finalization screen confirming everything we have configured, it ### Role Deployment Now that we have set up the root certificate authority, we can focus on setting up the subordinate CA. +!!! warning "Enterprise Admin Requirement" + When you are setting up the role, you **absolutely** have to use an Enterprise Admin account. This could be a service account like `svcCertAdmin` or something similar. + - Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**" - - Under credentials, let it automatically populate a domain admin. (e.g. `BUNNY-LAB\nicole.rappe`) + - Under credentials, enter the username for an Enterprise Admin. (e.g. `BUNNY-LAB\nicole.rappe`) - Click "**Next**" - Check the following roles (*we will add the rest after setting up the core CA functionality*) - `Certification Authority` @@ -153,6 +156,13 @@ At this point, we will need to focus on getting the certificate signing request - Right-click the CA node in the treeview on the left-hand sidebar (e.g. `BunnyLab-SubordinateCA-01`) - Click on "**All Tasks" > "Start Service**" - Verify that the CA status is now green (running). +### Certificate Template Permissions +Lastly, we need to adjust the security permissions of the "Domain Controller Authentication" template so that domain controllers have read permissions to the template. + +- Right-Click ""**Certificate Templates**" > Manage + - Right-click "**Domain Controller Authentication**" > Properties + - Click on the "**Security**" tab + - Under the "Domain Controllers" permission, ensure that "Allow:Read" is checked, as well as "Enroll" and "Autoenroll", then click "OK" ## Create Auto-Enrollment Group Policy The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*computers, including domain controllers*) to automatically request, renew, and install certificates from the Enterprise CA (in this case, the Subordinate CA `LAB-CA-02`).