Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
This commit is contained in:
@ -15,7 +15,8 @@ This document outlines the Microsoft-recommended best practices for deploying a
|
||||
- Ensure the timezone is correctly configured
|
||||
- Ensure the hostname is correctly configured
|
||||
|
||||
### Offline (Non-Domain-Joined) Root CA `LAB-CA-01` Role Deployment
|
||||
## Offline (Non-Domain-Joined) Root CA `LAB-CA-01`
|
||||
### Role Deployment
|
||||
This is the initial deployment of the root certificate authority, the settings here should be double and triple checked before proceeding through each step.
|
||||
- Provision a **non-domain-joined** Windows Server
|
||||
- This is critical that this device is not domain-joined for security purposes
|
||||
@ -34,7 +35,7 @@ This is the initial deployment of the root certificate authority, the settings h
|
||||
- Click "**Next**" > "**Next**" > "**Next**" > "**Install**"
|
||||
- Restart the Server
|
||||
|
||||
### Offline (Non-Domain-Joined) Root CA `LAB-CA-01` Role Configuration
|
||||
### Role Configuration
|
||||
We have a few things we need to configure within the CA to make it ready to handle certificate requests.
|
||||
- Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**"
|
||||
- You will be prompted for an admin user, in this example, you will use the pre-populated `LAB-CA-01\Administrator`
|
||||
@ -70,7 +71,8 @@ You will see a finalization screen confirming everything we have configured, it
|
||||
!!! success "Active Directory Certificate Services"
|
||||
If everything went well, you will see that the "**Certificate Authority**" and "**Certification Authority Web Enrollment**" both have a status of "**Configuration succeeded**". At this point, you can click the "**Close**" button to conclude the Root CA configuration.
|
||||
|
||||
### Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` Role Deployment
|
||||
## Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02`
|
||||
### Role Deployment
|
||||
Now that we have set up the root certificate authority, we can focus on setting up the subordinate CA.
|
||||
|
||||
- Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**"
|
||||
@ -114,7 +116,7 @@ You will see a finalization screen confirming everything we have configured, it
|
||||
!!! quote "Pending Certificate Signing Request"
|
||||
You will see a screen telling you that the **Certification Authority Web Enrollment** was successful but it will give a warning about the **Certification Authority**. The Active Directory Certificate Services installation is incomplete. To complete the installation, use the request file <file-name> to obtain a certificate from the parent CA [*The RootCA*]. Then, use the Certification Authority snap-in to install the certificate. To complete this procedure, right-click the node with the name of the CA, and then click "Install CA Certificate".
|
||||
|
||||
### Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` Configuration Deployment
|
||||
### Configuration Deployment
|
||||
At this point, we will need to focus on getting the certificate signing request generated on `LAB-CA-02` to `LAB-CA-01` (the rootCA), this can be via temporary network access or via a USB flashdrive.
|
||||
|
||||
!!! danger
|
||||
@ -155,6 +157,7 @@ At this point, we will need to focus on getting the certificate signing request
|
||||
## Create Auto-Enrollment Group Policy
|
||||
The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*computers, including domain controllers*) to automatically request, renew, and install certificates from the Enterprise CA (in this case, the Subordinate CA `LAB-CA-02`).
|
||||
|
||||
### Create GPO
|
||||
- Open the Group Policy Management editor on one of your domain controllers, then "Create a GPO in this domain, and link it here" wherever it will be able to target the domain controllers, this may be at the root, or in a specific OU that holds domain controllers. (e.g. `bunny-lab.io\Domain Controllers` )
|
||||
- Name the new GPO something like "**Certificate Auto-Enrollment**"
|
||||
- Edit the GPO
|
||||
@ -165,6 +168,14 @@ The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*com
|
||||
- Click "**OK**"
|
||||
- Run a `gpupdate /force` on your domain controller(s) and give it a few minutes to pull down their new domain controller certificates
|
||||
|
||||
### Validate Auto-Enrollment Functionality
|
||||
At this point, you need to check that there is a certificate installed within "**Certificates - Local Computer > Personal > Certificates**" for "Domain Controller Server Authentication"
|
||||
|
||||
- PLACEHOLDER
|
||||
- PLACEHOLDER
|
||||
- PLACEHOLDER
|
||||
- PLACEHOLDER
|
||||
|
||||
!!! warning "Under Construction"
|
||||
Section is still being written during lab deployment.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user