If this domain controller is the first Windows Server 2008 R2 domain controller in the forest, you must prepare the forest for Windows Server 2008 R2 by extending the schema (that is, by running adprep /forestprep) on the schema operations master if this has not already been done. If this domain controller is the first Windows Server 2008 R2 domain controller in a Windows Server 2003 domain, you must prepare the domain by running adprep /domainprep on the infrastructure master.
I will be covering the final piece of the AD CS configuration, configuring CA Online Responder. This will include configuring the Certificate Autoenrollment using group policy; adding the Revocation Configuration to the OCSP Responder; and Verify the AD CS setup.
Setup Guide:1. Configure Certificate Autoenrollment using group policy
– Log onto the domain controller -> click Start ->Administrative Tools -> click Group Policy Management
– Expand the Group Policy Objects in the forest\domain containing the Default Domain Policy Group Policy object (GPO) -> Right-click the Default Domain Policy GPO -> click Edit
certutil -vocsprootcertutil -vocsproot delete2. Configure Certificate Template
– Open Server Manager -> Expand Roles, Active Directory Certificate Services -> Right-click the name of your CA -> click Properties
– Click the Extensions tab -> In the Select extension list, click Authority Information Access (AIA)
– Click Add -> In the Location box, type http:///ocsp (Note: ServerDNSName is the hostname of the Online Responder server) -> click OK