Planning your PKI
Since we are revolving all of our discussion in this book around Windows Server 2019, this means that your internal CA server can and should be one provided by this latest and greatest of operating systems. As with most capabilities in Server 2019, the creation of a certification authority server in your network is as simple as installing a Windows role. When you go to add the role to a new server, it is the very first role in the list, Active Directory Certificate Services (AD CS). When installing this role, you will be presented with a couple of important options, and you must understand the meaning behind them before you create a solid PKI environment.
Your server's hostname and domain status cannot be changed after implementing the CA role. Make sure you have set your final hostname and joined this server to the domain (if applicable), prior to installing the AD CS role. You won't be able to change those settings later!
