Install and configure AD CS

active directory domain services (ad ds) must be installed before proceeding this is because intune requires an enterprise ca , which must be joined to an active directory (ad) domain the section describes the tasks to install and configure ad cs install ad cs perform the following steps to install ad cs select start > administrative tools > server manager and then manage select add roles and features when the before you begin box opens, select \[ next ] choose one of the following installation types role based installation or feature based installation select \[ next ] in the server selection window, select the server from the domain (or local machine) on which to install ad cs select \[ next ] in the server roles window, select the checkbox next to active directory certificate services select \[ next ] and \[ add features ] in the features window, select \[ next ] in the ad cs window, select \[ next ] in the role services window, select certificate authority select \[ next ] in the confirmation window, select \[ install ] after the installation completes, select \[ close ] configure ad cs perform the following steps to configure the new ad cs installation with a public key infrastructure (pki) select start > administrative tools > server manager select the flag icon to the left of manage select configure active directory certificate services on the destination in the credentials window, ensure your login meets the displayed requirements and press \[ next ] in the select role services window, select certificate authority to enable the management and issuance of certificates, and select \[ next ] in the specify setup type window, you must set the type the type designates the kind of certificate authority server you must create an enterprise ca , which is integrated with active directory standalone cas are not supported for intune certificate flows select \[ next ] in the specify ca type window, select root or subordinate select root if you have not yet created a pki select subordinate if you are integrating with an existing pki select \[ next ] in the set up private key window, select use existing private key or create a new private key select use existing private key if you have integrated this ca with the {{futurex}} hardware previously and the private key already exists on the {{k3}} (for example, this is a reinstallation of the ca server) then, choose select an existing private key on this computer and proceed to step 8 if this is a new ca, select create a new private key and proceed to step 9 select \[ next ] if you selected create a new private key , perform the following steps in the configure cryptography for ca window, choose futurex fxcl kmes cng from the drop down menu select a key character length 2048, 3072, or 4096 select a hash algorithm from the drop down menu sha 1, sha 256, or sha 512 select \[ next ] and proceed to step 10 checking allow administrator interaction when the private key is accessed by the ca has no effect if you selected use existing private key , perform the following steps in the existing key window, change the cryptographic provider to futurex fxcl kmes cng clear the common name field and select \[ search ] locate the key you want to use from the search results select \[ next ] and proceed to step 10 checking allow administrator interaction when the private key is accessed by the ca has no effect in the ca name window, configure your pki names and select \[ next ] perform one of the following options if you selected root ca in step 6, the set the certificate validity period page opens designate the default validity for the root ca and select \[ next ] if you selected subordinate ca in step 6, the certificate request page opens optionally, perform the following tasks and then select \[ next ] you can choose a parent ca instance of ad cs on your domain to issue you a certificate you can save a certificate request to a file and have an external ca sign it in the certificate database window, select \[ next ] in the confirmation window, select \[ configure ] to confirm that the root ca was installed successfully, enter the following command in a command prompt certutil csptest csp "futurex fxcl kmes cng" rsa if the operation succeeds, the following message displays state 4 running for more information on installing and configuring active directory certificate services, refer to the microsoft documentation technet microsoft com/en us/library/cc772393(v=ws 10) aspx