Windows Server Core 2022--（1）安装AD DS和AD CS证书服务

Windows Server Core 2022--（1）安装AD DS和AD CS证书服务

1.安装AD DS:

Install-WindowsFeature -Name AD-Domain-Services

Install-ADDSForest -CreateDnsDelegation:$false -DomainMode WinThreshold -DomainName afd.ink  -DomainNetbiosName a -ForestMode WinThreshold -InstallDns:$true -NoRebootOnCompletion:$true -SafeModeAdministratorPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -Force:$true

Restart-Computer

set-ADUser administrator -PasswordNeverExpires  $true

New-ADUser -Name 'gazh' -SamAccountName 'gazh' -DisplayName 'gazh' -Enabled $True  -PasswordNeverExpires $True -UserPrincipalName 'gazh@afd.ink' -AccountPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -PassThru

$SUG = @()

$SUG = (Get-ADUser -Identity "Administrator" -Properties * ).MemberOf

ForEach ($Group in $SUG ) { Add-ADGroupMember -Identity $Group -Members "gazh"}

(Get-ADUser -Identity gazh -Properties *).MemberOf

2.安装ADCS:

Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority,ADCS-Web-Enrollment

Install-AdcsCertificationAuthority  -ValidityPeriod  Years  -ValidityPeriodUnits 50 -CACommonName A-CA

配置 Certificate Authority Web Enrollment:

Install-AdcsWebEnrollment

certutil -getreg ca\ValidityPeriod

certutil -getreg ca\ValidityPeriodUnits

certutil -setreg ca\ValidityPeriodUnits 20

Restart-Service -name certsvc

dnscmd . /RecordAdd afd.ink ca A 192.168.111.10

Get-CACrlDistributionPoint | ?{$_.uri -like "-or $_.uri -like "ldap*"}

Add-CACrlDistributionPoint -Uri "-AddToCrlIdp:$false -AddToFreshestCrl:$true -AddToCertificateCdp:$true -Confirm -Force

Get-CAAuthorityInformationAccess | fl

Add-CAAuthorityInformationAccess -AddToCertificateOcsp:$true  -Uri "-Confirm -Force

Get-CAAuthorityInformationAccess | fl

Remove-CAAuthorityInformationAccess -Uri "-AddToCertificateAia -Uri "-AddToCertificateOcsp -Uri "| fl

Remove-CACrlDistributionPoint -URI "-Uri "-AddToCertificateCdp -AddToCrlIdp -AddToFreshestCrl

Restart-Service -name certsvc

新增和管理模板：

Install-Module -Name ADCSTemplate

Get-ADCSTemplate | select displayname

Export-ADCSTemplate -DisplayName "Web 服务器" > .\webserver_template.json

Export-ADCSTemplate -DisplayName "Web Server" > .\webserver_template.json

notepad .\webserver_template.json

替换pKIExpirationPeriod的值为Validity period时间由默认的2年改为20年：

将

"pKIExpirationPeriod":  [

0,

128,

114,

14,

93,

194,

253,

255

],

替换为：

"pKIExpirationPeriod":  [

0,

0,

121,

144,

162,

151,

233,

255

],

保存。

New-ADCSTemplate -DisplayName "Web20" -JSON (Get-Content .\webserver_template.json -Raw) -Publish

Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity 'a\Domain Users' -Enroll

Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity 'a\Domain Computers' -Enroll

申请证书：

创建CSR工具：create a policy file (.inf) in Notepad and save it as requestconfig.inf:

[Version]

Signature="$Windows NT$"

[NewRequest]

;Change to your,country code, company name and common name

Subject = "CN=afd.ink"

KeySpec = 1

KeyLength = 2048

Exportable = TRUE

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

FriendlyName = "afd-ca"

[Extensions]

2.5.29.17 = "{text}"

_continue_ = "dns=afd.ink&"

_continue_ = "dns=*.afd.ink&"

_continue_ = "dns=nipit-&"

_continue_ = "dns=*.nipit-&"

_continue_ = "dns=ykx.ai&"

_continue_ = "dns=*.ykx.ai&"

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing

[RequestAttributes]

CertificateTemplate = Web20

SAN = "dns=afd.ink&dns=*.afd.ink&dns=nipit-&dns=*.nipit-&dns=ykx.ai&dns=*.ykx.ai"

2)On the computer for which you are requesting a certificate:

certreq –new requestconfig.inf certrequest.req

certreq -submit certrequest.req certnew.cer

3)导入导出证书：

Import-Certificate -FilePath .\afd-wildcard.cer -CertStoreLocation Cert:\LocalMachine\My

Get-ChildItem -Path Cert:\LocalMachine\My

Get-ChildItem -Path cert:\localMachine\my\266FBD875596D7029690CA907AA2977D35341788 | Export-PfxCertificate -FilePath .\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)

Set-Location -Path cert:\localMachine\my

PS Cert:\localMachine\my>Import-PfxCertificate -FilePath c:\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)

3.启用远程管理IIS--Enabling IIS Remote Management

Install-WindowsFeature  Web-Mgmt-Service

Set-ItemProperty -Path  HKLM:\SOFTWARE\Microsoft\WebManagement\Server -Name EnableRemoteManagement  -Value 1

Set-Service -name WMSVC  -StartupType Automatic -Status Running

New-NetFirewallRule -DisplayName "IIS Remote Management" -Direction Inbound  -Action Allow -Service  WMSVC

Copy-Item -Path C:\afd.ink.pfx  -Destination "\\$_\c$"

certutil -p P@$$w0rd1 -importpfx c:\afd.ink.pfx

Remove-Item -Path "\\$_\c$\afd.ink.pfx

Import-Module WebAdministration

Get-ChildItem -Path  Cert:\LocalMachine\My

Remove-Item -Path IIS:\SslBindings\0.0.0.0!8172

$cert = Get-ChildItem -Path  Cert:\LocalMachine\My | Where {$_.subject -like "*afd.ink*"} |  Select-Object -ExpandProperty Thumbprint

Get-Item -Path  "cert:\localmachine\my\$cert" | New-Item -Path IIS:\SslBindings\0.0.0.0!8172

Remove-Item -Path IIS:\SslBindings\0.0.0.0!8172

Get-Item -Path  "cert:\localmachine\my\$cert" | New-Item -Path IIS:\SslBindings\0.0.0.0!8172

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。