Windows Server Core 2022--安装AD DS和AD CS证书服务

今日长缨在手,何时缚住苍龙。这篇文章主要讲述Windows Server Core 2022--安装AD DS和AD CS证书服务相关的知识,希望能为你提供帮助。
1.安装AD DS:
Install-WindowsFeature -Name AD-Domain-Services
Install-ADDSForest -CreateDnsDelegation:$false -DomainMode WinThreshold -DomainName afd.ink   -DomainNetbiosName a -ForestMode WinThreshold -InstallDns:$true -NoRebootOnCompletion:$true -SafeModeAdministratorPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -Force:$true
Restart-Computer
set-ADUser administrator -PasswordNeverExpires   $true
New-ADUser -Name gazh -SamAccountName gazh -DisplayName gazh -Enabled $True   -PasswordNeverExpires $True -UserPrincipalName gazh@afd.ink -AccountPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -PassThru
$SUG = @()
$SUG = (Get-ADUser -Identity "Administrator" -Properties * ).MemberOf
ForEach ($Group in $SUG )Add-ADGroupMember -Identity $Group -Members "gazh"
(Get-ADUser -Identity gazh -Properties *).MemberOf
2.安装ADCS:
Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority,ADCS-Web-Enrollment
Install-AdcsCertificationAuthority   -ValidityPeriod   Years   -ValidityPeriodUnits 50 -CACommonName A-CA
配置 Certificate Authority Web Enrollment:
Install-AdcsWebEnrollment
certutil -getreg ca\\ValidityPeriod
certutil -getreg ca\\ValidityPeriodUnits
certutil -setreg ca\\ValidityPeriodUnits 20
Restart-Service -name certsvc
  dnscmd . /RecordAdd afd.ink ca A 192.168.111.10
Get-CACrlDistributionPoint | ?$_.uri -like "http*" -or $_.uri -like "ldap*"  
Add-CACrlDistributionPoint -Uri "http://ca.afd.ink/CertEnroll/< CAName> < CRLNameSuffix> < DeltaCRLAllowed> .crl" -AddToCrlIdp:$false -AddToFreshestCrl:$true -AddToCertificateCdp:$true -Confirm -Force
Get-CAAuthorityInformationAccess | fl
Add-CAAuthorityInformationAccess -AddToCertificateOcsp:$true   -Uri "http://ca.afd.ink/CertEnroll/< ServerDNSName> _< CAName> < CertificateName> .crt" -Confirm -Force


Get-CAAuthorityInformationAccess | fl
Remove-CAAuthorityInformationAccess -Uri "http://< ServerDNSName> /CertEnroll/< ServerDNSName> _< CAName> < CertificateName> .crt"
Add-CAAuthorityInformationAccess -AddToCertificateAia -Uri "http://< ServerDNSName> /CertEnroll/< ServerDNSName> _< CAName> < CertificateName> .crt"
Add-CAAuthorityInformationAccess -AddToCertificateOcsp -Uri "http://< ServerDNSName> /CertEnroll/< ServerDNSName> _< CAName> < CertificateName> .crt"
Get-CACrlDistributionPoint | fl
Remove-CACrlDistributionPoint -URI "http://< ServerDNSName> /CertEnroll/< CAName> < CRLNameSuffix> < DeltaCRLAllowed> .crl"
Add-CACRLDistributionPoint -Uri "http://< ServerDNSName> /CertEnroll/< CAName> < CRLNameSuffix> < DeltaCRLAllowed> .crl" -AddToCertificateCdp -AddToCrlIdp -AddToFreshestCrl
Restart-Service -name certsvc


新增和管理模板:
Install-Module -Name ADCSTemplate
Get-ADCSTemplate | select displayname
Export-ADCSTemplate -DisplayName "Web 服务器" > .\\webserver_template.json
Export-ADCSTemplate -DisplayName "Web Server" > .\\webserver_template.json  
notepad .\\webserver_template.json
替换pKIExpirationPeriod的值为Validity period时间由默认的2年改为20年:

"pKIExpirationPeriod":   [
                                0,
                                128,
                                114,
                                14,
                                93,
                                194,
                                253,
                                255
                            ],
替换为:
    "pKIExpirationPeriod":   [
                                0,
                                0,
                                121,
                                144,
                                162,
                                151,
                                233,
                                255
                            ],
保存。
New-ADCSTemplate -DisplayName "Web20" -JSON (Get-Content .\\webserver_template.json -Raw) -Publish
Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity a\\Domain Users -Enroll
Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity a\\Domain Computers -Enroll
申请证书:
创建CSR工具:https://www.digicert.com/StaticFiles/DigiCertUtil.zip
1)To create a policy file (.inf) in Notepad and save it as requestconfig.inf:
[Version]
Signature="$Windows NT$"
[NewRequest]
; Change to your,country code, company name and common name
Subject = "CN=afd.ink"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
FriendlyName = "afd-ca"
[Extensions]
2.5.29.17 = "text"
_continue_ = "dns=afd.ink& "
_continue_ = "dns=*.afd.ink& "
_continue_ = "dns=nipit.cn& "
_continue_ = "dns=*.nipit.cn& "
_continue_ = "dns=ykx.ai& "
_continue_ = "dns=*.ykx.ai& "
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing
[RequestAttributes]
CertificateTemplate = Web20
SAN = "dns=afd.ink& dns=*.afd.ink& dns=nipit.cn& dns=*.nipit.cn& dns=ykx.ai& dns=*.ykx.ai"


2)On the computer for which you are requesting a certificate:
certreq –new requestconfig.inf certrequest.req
certreq -submit certrequest.req certnew.cer
3)导入导出证书:
Import-Certificate -FilePath .\\afd-wildcard.cer -CertStoreLocation Cert:\\LocalMachine\\My
Get-ChildItem -Path Cert:\\LocalMachine\\My
Get-ChildItem -Path cert:\\localMachine\\my\\266FBD875596D7029690CA907AA2977D35341788 | Export-PfxCertificate -FilePath .\\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)
Set-Location -Path cert:\\localMachine\\my
PS Cert:\\localMachine\\my> Import-PfxCertificate -FilePath c:\\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)
3.启用远程管理IIS--Enabling IIS Remote Management
Install-WindowsFeature   Web-Mgmt-Service
Set-ItemProperty -Path   HKLM:\\SOFTWARE\\Microsoft\\WebManagement\\Server -Name EnableRemoteManagement   -Value 1
Set-Service -name WMSVC   -StartupType Automatic -Status Running
New-NetFirewallRule -DisplayName "IIS Remote Management" -Direction Inbound   -Action Allow -Service   WMSVC
Copy-Item -Path C:\\afd.ink.pfx   -Destination "\\\\$_\\c$"
certutil -p P@$$w0rd1 -importpfx c:\\afd.ink.pfx
Remove-Item -Path "\\\\$_\\c$\\afd.ink.pfx
Import-Module WebAdministration
Get-ChildItem -Path   Cert:\\LocalMachine\\My
Remove-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
$cert = Get-ChildItem -Path   Cert:\\LocalMachine\\My | Where $_.subject -like "*afd.ink*" |   Select-Object -ExpandProperty Thumbprint
Get-Item -Path   "cert:\\localmachine\\my\\$cert" | New-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
Remove-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
Get-Item -Path   "cert:\\localmachine\\my\\$cert" | New-Item -Path IIS:\\SslBindings\\0.0.0.0!8172


【Windows Server Core 2022--安装AD DS和AD CS证书服务】


    推荐阅读