If you're implementing any of this in production, you probably have a domain controller and Certificate Authority in place already. Depending on what you plan on using ISE for though, there are settings that you might need to adjust. Since this is a lab environment that I'm setting up, I'm going to make an assumption that you (the reader) are setting up a lab as well and I will attempt to walk you through some of the things I do as I'm setting it up. I'll also try to call out things you might want to configure differently in production as I go.
For setting up the domain controller, I decided to use Microsoft Server 2012. For me, it made more sense to use whatever the newer versions of software I could get my hands on since these blog posts would probably remain relevant for a longer period of time. If you need to get a copy of Windows Server 2012, Microsoft does allow you to download evaluation copies off their site for use for 180 days.
In my lab, Server 2012 is installed as a VM on top of ESXi 6.0. I made sure that the NIC was assigned an IP address and ESXi had it on the right VLAN. In my lab, the IP address for my AD server is 10.1.100.40 and it's on VLAN 100.
The second thing I do is change the Computer Name before I make any role changes on the server. It's not as human-friendly to change it down the road after you've already promoted it to the domain controller or started issuing certificate from it. When the Server initially boots up, it gives itself a self-generated name which you probably won't want to stick with. In my case, Server 2012 gave itself the name of "WIN-AOK99N7QAB6" which I really didn't want to be referencing in later exercises so I changed it to AD1 as you can see below:
Changing the computer name will usually prompt a restart. After this has completed, we are going to add some roles to our server.
Another housecleaning item to check here is your time/date on your server. If your new VM states it's January 1st of 2010, that's going to cause some huge problems when you add the Certificate Authority role and all the certificates are expired. ISE also requires that the time between it and the Active Directory server must be under 5 minutes of else you won't be able to join the domain.
Open up Server Manager (if it didn't already open for you upon restart) and click on Add Roles and Features. From here, click next until you get to Server Roles and check the box next to Active Directory Domain Services
From here, click Next until you are at the Install screen. Usually, I just check the Restart the Destination Server automatically if required box before clicking Install and let it run through.
After the installation has finished, navigate back to the Server Management Dashboard and click on AD DS on the left-hand panel:
Click on the More link next to the Configuration required warning. On the next screen that pops up, click on Promote this server to a domain controller link.
On the first page, choose the radio button for Add a new forest and then add the domain name of the domain you'd like to create. Typically, you'd want it to be something that isn't internet reachable but in my case, I did something a little different by using the domain name of securitydemo.net:
After clicking Next, you will configure your DSRM password on the next screen and click Next again. Click Next on the DNS page. Even though we haven't added the DNS role yet, it will automatically add the role as part of the setup and create DNS pointers for AD. Keep clicking Next all the way through to the Prerequisites page and then click Install.
After the install completes, the server should restart. After it restarts, go to the Start menu and open Active Directory Users and Computers. From here you can either create a new users or you can use your Administrator account. Pick one (new account or Administrator account) and add it to the IIS_IUSRS group.
Open up Server Manager again and click on Add Roles and Features. This time, choose the check box next to Active Directory Certificate Services:
Click Next until you get to the Role Services window. Choose every check box next to all the services and then click Next:
Once again, I like to check the Restart the destination server automatically box since this is a lab and then click Install.
After the installation is complete, go to the AD CS link in the Server manager and click on the More link in the warning
From the window that pops up, click on Configure Active Directory Certificates. Click Next on the menu and under Role Services, choose the first three options:
Click Next twice. Make sure the Enterprise CA and Root CA options are selected. Under Private Key, make sure the Create a new private key radio button is selected. Click Next all the way through to the Confirmation page and choose Configure.
After that is done, there should be a popup box that states Do you want to configure additional role servers? Choose Yes.
On this menu under Role Services, check the remaining three services:
On the next menu, you need to choose a service account for NDES. This could either be the user account you previously created that you added to the IIS_USR group or it could be the Administrator account if you added it to that group.
After adding the NDES service account above, click Next all the way through until you get to the Service Account for CES. Enter the same account you used above for this as well.
On the Server Certificate set, highlight the existing SSL certificate. Note: this was created in the first round of adding roles to the Certificate Services. During that process, we opted to create a certificate but in production, you could potentially import a root certificate or various other options. For the sake of my lab though, I'm keeping it simple but I did want to call out that in production, you have many other options here.
Continue clicking Next until you get to the Progress screen and then choose Configure. After that completes, close the window.