Install and configure AD CS

if active directory domain services is not already installed, install it before proceeding you need an enterprise ca to use with intune install and join the server to your existing domain the section describes the tasks to install and configure ad cs install ad cs install ad cs unless you want to set up a standalone ca perform the following steps to install ad cs select start > administrative tools > server manager and then manage select add roles and features when the before you begin box opens, select \[ next ] choose one of the following installation types role based installation or feature based installation select \[ next ] in the server selection window, select the server from the domain (or local machine) on which to install ad cs select \[ next ] in the server roles window, select the checkbox next to active directory certificate services select \[ next ] and \[ add features ] in the features window, select \[ next ] in the ad cs window, select \[ next ] in the role services window, select certificate authority select \[ next ] in the confirmation window, select \[ install ] after the installation completes, select \[ close ] configure ad cs perform the following steps to configure the new ad cs installation with a public key infrastructure (pki) if you haven't installed active directory yet, install it before proceeding unless this is a standalone ca select start > administrative tools > server manager select the flag icon to the left of manage select configure active directory certificate services on the destination in the credentials window, ensure your login meets the displayed requirements and press \[ next ] in the select role services window, select certificate authority to enable the management and issuance of certificates, and select \[ next ] in the specify setup type window, you must set the type the type designates the kind of certificate authority server and depends on your business requirements select either enterprise or standalone enterprise cas are integrated with active directory standalone cas conduct operations offline select \[ next ] in the specify ca type window, select root or subordinate select root if you have not yet created a pki select subordinate if you are integrating with an existing pki select \[ next ] in the set up private key window, select use existing private key or create a new private key select use existing private key if you have integrated this ca with the futurex hardware previously and the private key already exists on the kmes series 3 (for example, this is a reinstallation of the ca server) then, choose select an existing private key on this computer and proceed to step 8 if this is a new ca, select create a new private key and proceed to step 9 select \[ next ] if you selected create a new private key , perform the following steps in the configure cryptography for ca window, choose futurex fxcl kmes cng from the drop down menu select a key character length 2048, 3072, or 4096 select a hash algorithm from the drop down menu sha 1, sha 256, or sha 512 select \[ next ] and proceed to step 10 checking allow administrator interaction when the private key is accessed by the ca has no effect if you selected use existing private key , perform the following steps in the existing key window, change the cryptographic provider to futurex fxcl kmes cng clear the common name field and select \[ search ] locate the key you want to use from the search results select \[ next ] and proceed to step 10 checking allow administrator interaction when the private key is accessed by the ca has no effect in the ca name window, configure your pki names and select \[ next ] perform one of the following options if you selected root ca in step 6, the set the certificate validity period page opens designate the default validity for the root ca and select \[ next ] if you selected subordinate ca in step 6, the certificate request page opens optionally, perform the following tasks and then select \[ next ] you can choose a parent ca instance of ad cs on your domain to issue you a certificate you can save a certificate request to a file and have an external ca sign it in the certificate database window, select \[ next ] in the confirmation window, select \[ configure ] to confirm that the root ca was installed successfully, enter the following command in a command prompt certutil csptest csp "futurex fxcl kmes cng" rsa if the operation succeeds, the following message displays state 4 running for more information on installing and configuring active directory certificate services, refer to microsoft’s documentation