Configure Active Directory Certificate Services - NDES

4min

You must install AD CS - Network Device Enrollment Service on a server separate from your Enterprise CA.
Install the AD CS Network Device Enrollment Service (NDES)
1
Go to Start > Administrative Tools > Server Manager > Manage. Then, select 
[ Add roles and features ].
2
On the Before You Begin window, select [ Next ].
3
Choose the installation type: Role-based or feature-based installation. Select 
[ Next ].
4
On the Server Selection page, select the server from the domain (or local machine) on which to install AD CS. Select [ Next ].
5
On the Server Roles page, check the box next to Active Directory Certificate Services. Select [ Next ] and then select [ Add Features ].
6
On the Features page, select the following options and then select [ Next ].
Select .NET Framework 3.5 Features and include HTTP Activation
Select .NET Framework 4.8 Features and include HTTP Activation under WCF Services
7
On the AD CS page, select [ Next ].
8
On the Role Services page, select Network Device Enrollment Service . Select 
[ Next ].
9
On the Web Server Role (IIS) page, select [ Next ].
10
On the Role Services page, select the following:
Security
Request Filtering
Application development
Net Extensibility 4.8
ASP.NET 4.8
Management Tools
IIS Management Tools
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
11
Select [ Next ] and then [ Install ].
12
After the installation completes, select [ Close ].
Set the IIS permissions for your NDES accounts
Before moving on to configuring AD CS NDES, you must first set the permissions for your Service Account and Application Pool account.
1
On the NDES server, use the windows search bar and look for Local Users and Groups. Open it.
2
In the left toolbar, select [ Groups ].
3
Locate the IIS_ISURS group and right-click it. Select [ Properties ].
4
Select [ Add ] and add both your Service Account and your NDES Application Pool account.
5
Select [ Apply ] and then [ OK ].
Set the NDES Service Account to use Logon as a Service
The Domain Administrator account you plan to use for NDES as the Service Account must have Logon as a Service enabled. To enable it:
1
On the NDES server, use the windows search bar and look for Local Security Policy. Open it.
2
Expand Local Policies and select [ User Rights Assignment ].
3
Locate and double-click [ Log on as a service ].
4
Select [ Add user or Group ].
5
Add your Domain Administrator account acting as the NDES Service Account. Select [ OK ].
For more information on installing and configuring Active Directory Certificate Services - NDES, refer to the Microsoft documentation.
﻿

Updated 30 Apr 2024

Did this page help you?

Configure the Certificate Authority for NDES

Configure Active Directory Services - NDES