設定自動註冊憑證Configure certificate auto-enrollment

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

注意

執行此程序之前,您必須使用 [憑證範本 Microsoft Management Console 嵌入式管理單元上執行的 AD CS CA 設定伺服器的憑證範本。Before you perform this procedure, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS. 同時成員資格企業系統管理員並根網域的網域系統管理員」群組是才能完成此程序最小值。Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.

設定伺服器的憑證自動註冊Configure server certificate auto-enrollment

  1. 在電腦上安裝 AD DS 時,請打開 Windows PowerShell®,輸入mmc,然後按 ENTER 鍵。On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and then press ENTER. Microsoft Management Console 開啟。The Microsoft Management Console opens.
  2. 檔案功能表上,按新增/移除嵌入式管理單元On the File menu, click Add/Remove Snap-in. 中新增或移除嵌入式管理單元對話方塊。The Add or Remove Snap-ins dialog box opens.
  3. 可用嵌入式管理單元、向下捲動並按兩下 [群組原則編輯器] 管理In Available snap-ins, scroll down to and double-click Group Policy Management Editor. 選取的群組原則物件對話方塊。The Select Group Policy Object dialog box opens.

    重要

    確定您選取 [群組原則編輯器] 管理並不群組原則管理Ensure that you select Group Policy Management Editor and not Group Policy Management. 如果您選取 [群組原則管理,使用這些指示您的設定將會失敗並伺服器的憑證會自動註冊至 NPS 伺服器。If you select Group Policy Management, your configuration using these instructions will fail and a server certificate will not be autoenrolled to your NPS servers.

  4. 群組原則物件,按一下 [瀏覽]In Group Policy Object, click Browse. 群組原則物件的瀏覽]對話方塊。The Browse for a Group Policy Object dialog box opens.

  5. 網域、Ou 和連結的群組原則物件,按一下預設網域原則,然後按一下 [ [確定]In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
  6. 按一下完成,然後按[確定]Click Finish, and then click OK.
  7. 按兩下預設網域原則Double-click Default Domain Policy. 在主控台中,展開下列路徑:電腦設定原則Windows 設定的安全性設定,然後公用原則In the console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, and then Public Key Policies.
  8. 按一下公用原則Click Public Key Policies. 在詳細資料窗格中,按兩下 [憑證服務 Client 自動註冊In the details pane, double-click Certificate Services Client - Auto-Enrollment. 屬性對話方塊。The Properties dialog box opens. 設定,下列項目,然後按一下[確定]:Configure the following items, and then click OK:

    1. 設定模型啟用In Configuration Model, select Enabled.
    2. 選取 [更新過期的憑證,更新擱置中的憑證,並移除撤銷憑證核取方塊。Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
    3. 選取 [更新使用的憑證範本憑證核取方塊。Select the Update certificates that use certificate templates check box.
  9. 按一下[確定]Click OK.

設定使用者憑證自動註冊Configure user certificate auto-enrollment

  1. 在電腦上安裝 AD DS 時,請打開 Windows PowerShell®,輸入mmc,然後按 ENTER 鍵。On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and then press ENTER. Microsoft Management Console 開啟。The Microsoft Management Console opens.
  2. 檔案功能表上,按新增/移除嵌入式管理單元On the File menu, click Add/Remove Snap-in. 中新增或移除嵌入式管理單元對話方塊。The Add or Remove Snap-ins dialog box opens.
  3. 可用嵌入式管理單元、向下捲動並按兩下 [群組原則編輯器] 管理In Available snap-ins, scroll down to and double-click Group Policy Management Editor. 選取的群組原則物件對話方塊。The Select Group Policy Object dialog box opens.

    重要

    確定您選取 [群組原則編輯器] 管理並不群組原則管理Ensure that you select Group Policy Management Editor and not Group Policy Management. 如果您選取 [群組原則管理,使用這些指示您的設定將會失敗並伺服器的憑證會自動註冊至 NPS 伺服器。If you select Group Policy Management, your configuration using these instructions will fail and a server certificate will not be autoenrolled to your NPS servers.

  4. 群組原則物件,按一下 [瀏覽]In Group Policy Object, click Browse. 群組原則物件的瀏覽]對話方塊。The Browse for a Group Policy Object dialog box opens.

  5. 網域、Ou 和連結的群組原則物件,按一下預設網域原則,然後按一下 [ [確定]In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
  6. 按一下完成,然後按[確定]Click Finish, and then click OK.
  7. 按兩下預設網域原則Double-click Default Domain Policy. 在主控台中,展開下列路徑:使用者設定原則Windows 設定的安全性設定,然後公用原則In the console, expand the following path: User Configuration, Policies, Windows Settings, Security Settings, and then Public Key Policies.
  8. 按一下公用原則Click Public Key Policies. 在詳細資料窗格中,按兩下 [憑證服務 Client 自動註冊In the details pane, double-click Certificate Services Client - Auto-Enrollment. 屬性對話方塊。The Properties dialog box opens. 設定,下列項目,然後按一下[確定]:Configure the following items, and then click OK:

    1. 設定模型啟用In Configuration Model, select Enabled.
    2. 選取 [更新過期的憑證,更新擱置中的憑證,並移除撤銷憑證核取方塊。Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
    3. 選取 [更新使用的憑證範本憑證核取方塊。Select the Update certificates that use certificate templates check box.
  9. 按一下[確定]Click OK.

後續步驟Next Steps

重新整理群組原則Refresh Group Policy