Windows Server 2012 Base Configuration Test Lab Mini-Module for a Basic PKI
This Test Lab Guide Mini-Module describes how to add a basic public key infrastructure (PKI) as an optional addition to the Windows Server 2012 base configuration test lab. If you are running the base configuration test lab in a virtual environment, you can create snapshots of the virtual machines (VMs) for all of the test lab computers before performing the following procedure. There are two steps to adding a basic PKI deployment to the Windows Server 2012 Base Configuration test lab.
1. Install an enterprise root certification authority (CA) on APP1.x
2. Enable computer certificate auto-enrollment for the corp.contoso.com domain, and verify computer certificate enrollment.
Step 1: Install an Enterprise Root CA on APP1
Do this step using Windows PowerShell
To install the Certification Services server role on APP1
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
Install-WindowsFeature AD-Certificate -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -Force
Step 2: Enable Computer Certificate Auto-enrollment
Next, configure Group Policy on DC1 so that domain members automatically request computer certificates.
To configure computer certificate auto-enrollment
7. Close Group Policy Management Editor and Group Policy Management Console.
Configure a client-server authentication template for auto-enrollment on APP1
Next, configure a custom client-server authentication template that can be used by servers and clients in further test lab guides.
To configure the client-server authentication template
Snapshot the Configuration
This completes the Basic PKI configuration. To save this configuration for additional test labs, do the following:
Additional Resources
For a list of all of the Windows Server 2012 TLGs, see Windows Server 2012 Test Lab Guides in the TechNet Wiki.
Adam Cooperman edited Revision 8. Comment: Corrected the Install-AdcsCertificationAuthority to correctly install an EnterpriseRootCA and not a standalone.
Ed Price - MSFT edited Revision 4. Comment: Font style; added tags
Joe Davies edited Revision 3. Comment: Misc editing
Joe Davies edited Revision 2. Comment: Updates for Windows Server 2012
This doesn't work well for me (tried in SCEP 2012 and SCSM 2012 TLGs, computers do not get their certificates). It is better to add AD CS role to DC1 and than add automatic certificate request for computers. Something like Base Config for Windows Server 2008 R2.
Works for me, but I did have to add the READ permission in step 7, section 'Configure a client-server authentication template for auto-enrollment on APP1'.
is it possible to post correction to the main test lab guides ? there are some bits of powershell that need sorting ?