Planning your PKI
Since we are revolving all of our discussion in this book around Windows Server 2016, this certainly means that your CA server can and should be one provided by this latest and greatest of operating systems. As with most capabilities in Server 2016, the creation of a certification authority server in your network is as simple as installing a Windows role. When you go to add the role to a new server, it is the very first role in the list called Active Directory Certificate Services (AD CS). When installing this role, you will be presented with a couple of important options and you must understand the meaning behind these options before you create a solid PKI environment.
Enterprise versus standalone
When configuring your CA role for the first time, you will be presented with a big choice. Do you want this CA server to be an enterprise CA, or a standalone CA?
Let's start with the enterprise CA. As the wizard will tell you, an enterprise CA server must be a member of your domain...
