Part two can be found here
The lab simulates a two-tier PKI where the root CA will be “offline.” The issuing CA is the Active Directory Domain Controller and will be online. User and computer certificates will be issued. Additionally, Cisco ISE will query AD for “attributes” used in the authorization policies.
Add the certificate authority (CA) role.
Reboot the server