Windows Server 2012 Base Configuration Test Lab Mini-Module for a Basic PKI
This Test Lab Guide Mini-Module describes how to add a basic public key infrastructure (PKI) as an optional addition to the Windows Server 2012 base configuration test lab. If you are running the base configuration test lab in
a virtual environment, you can create snapshots of the virtual machines (VMs) for all of the test lab computers before performing the following procedure. There are two steps to adding a basic PKI deployment to the Windows Server 2012 Base Configuration test
1. Install an enterprise root certification authority (CA) on APP1.x
2. Enable computer certificate auto-enrollment for the corp.contoso.com domain, and verify computer certificate enrollment.
Step 1: Install an Enterprise Root CA on APP1
Do this step using Windows
To install the Certification Services server role on APP1
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear
word-wrapped across several lines here because of formatting constraints.
Install-WindowsFeature AD-Certificate -IncludeManagementTools
Step 2: Enable Computer Certificate Auto-enrollment
Next, configure Group Policy on DC1 so that domain members automatically request computer certificates.
To configure computer certificate auto-enrollment
7. Close Group Policy Management Editor and
Group Policy Management Console.
Configure a client-server authentication template for auto-enrollment on APP1
Next, configure a custom client-server authentication template that can be used by servers and clients in further test lab guides.
To configure the client-server authentication template
Snapshot the Configuration
This completes the Basic PKI configuration. To save this configuration for additional test labs, do the following:
For a list of all of the Windows Server 2012 TLGs, see
Windows Server 2012 Test Lab Guides in the TechNet Wiki.
This doesn't work well for me (tried in SCEP 2012 and SCSM 2012 TLGs, computers do not get their certificates). It is better to add AD CS role to DC1 and than add automatic certificate request for computers. Something like Base Config for Windows Server 2008 R2.