Part 1: Configure Active Directory Domain Services
The following sections cover administrating Active Directory Domain Services and include instructions on how to i nstall and configure Active Directory Domain Services, create service accounts, and add hosts to the DNS service:
In the examples below, the Active Directory Domain Services hostname is dsserver.yourcompany.com. The text enclosed in angle brackets should be replaced with names in your environment.
Step 1 - Install Active Directory Domain Services
The following covers how to install the Active Directory Domain Services.
If an Active Directory environment already exists, continue to Step 2 - Create Service Accounts to create service accounts.
Install Active Directory Domain Services
To install Active Directory Domain Services:
- Assign a static IP address for this host. 
- Give the Host an appropriate computer name, in this example <dsserver>. 
 
- Open the Server Manager, click Add roles and features, and then click Next. 
- Select Role-based or feature-based installation and then click Next. 
- Select Select a server from the server pool, select this server, and then click Next. 
- Select Active Directory Domain Services. 
- When prompted to add required features, click Add Features. 
 
- Proceed to the Confirmation page and click Install. 
- When the installation completes, click Close. 
Configure Active Directory Domain Services
To configure Active Directory Domain Services:
- From Server Manager notifications a new task will be shown, click Promote this server to a domain controller. 
- Set the deployment operation to Add a new forest. 
- Enter the root domain name <yourcompany.com> and click Next. 
- Enter the Directory Services Restore Mode (DSRM) password <PASSWORD>, confirm the password, and then click Next. 
- When prompted with the warning "A delegation for this DNS server cannot be created", click Next. 
- Verify that the NetBIOS domain name is set to <YOURCOMPANY>, and then click Next. 
- When prompted with the warning "A delegation for this DNS server cannot be created", click Next. 
- Verify that the NetBIOS domain name is set to <YOURCOMPANY>, and then click Next. 
- Enter a location for the database, log files, and sysvol folders, and then click Next. 
- Review your selections and click Next. 
- Verify that all prerequisite checks passed successfully, then click Install. 
- When the installation completes, close the window and the server will be rebooted. 
 
Step 2 - Create Service Accounts
To create service accounts:
- Open the Server Manager and select Tools > Activate Directory Users and Computers. 
- Navigate to <yourcompany.com> and select Users. 
- Click Action > New > User and add the following service accounts: 
 - Add a service account with user login name (ra-service) and set the password to never expires. This account will be used for the EJBCA CEP and CES Servlets. 
- Add a service account with user login name (autoenrollmentbind) and set the password to never expires. This account will be used for the Active Directory Bind account. 
 
- Add the account (autoenrollmentbind) as a member of the Cert Publishers group. 
 - For simplicity, a single service account can be used for all permissions to reduce complexity when working on active directory permissions. If using a single service account, add this single account to all areas outlined going forward. 
Step 3 - Add Hosts to DNS Service
To add hosts to the DNS service, perform the following steps:
- Open the Server Manager and select Tools > DNS. 
- Expand your server name on the left-hand side, navigate to Forward Lookup Zone > yourcompany.com and specify the following: - Add a new host type (A) to EJBCA servers. 
 
- Increment the serial number of Start of Authority (SOA) 
Step 4 - Install Active Directory Certificate Services Tool
To install Certificates Services tools, perform the following steps:
- Open the Server Manager and select Manage > Add Roles and Features. 
- The Add Roles and Features Wizard will open, Select Next. 
- Select Role-based or feature-based installation and then click Next. 
- Select Select a server from the server pool, select this server, and then click Next. 
- Click Next to move to Features. 
- Expand Remote Server Administration Tools. 
- Expand Role Administration Tools. 
- Select Active Directory Certificates Services Tools, then click Next. 
- Proceed to the Confirmation page and click Install. 
- When the installation completes, click Close. 
Next: Group Policies and Certificate Templates
Next, find instructions on how to install and configure Certificate Enrollment Policies and the Policy Server in Part 2: Group Policies and Certificate Templates.