Installing an enterprise root CA in this manner automatically begins distributing that CA's root certificate to domain-joined machines.
I know one of the commenters, Brian Komar, a Microsoft security MVP and author of several books and guides on PKI for Windows.
We've met a few times and Komar has even spoken at the Tech Mentor conference, which, like magazine, is produced by 1105 Media.
Update (June 3, 2015): The original article stated you should install the AD CS role onto an existing DC.
Addendum (June 4, 2015): Once again, thanks to everyone for the lively conversation.
I believe commenter Paul Adare, also a Microsoft security MVP, and I have shaken hands at least once.
These two are experts at this technology, and I respect you (and everyone else) greatly for being so.Authentication and the venerable domain controller have been inseparable concepts since the earliest days of the Windows Server OS. It remains difficult to authenticate against an on-premises AD when accessing cloud-based applications.We're long past the DC as the single authentication source for Windows environments.You've now accomplished the barest configuration for deploying certificates throughout your domain.As Group Policy refreshes, each computer will request and be issued a unique computer certificate for use in any client computer authentication requirements.Whereas AD CS can deploy all manner of certificates for a variety of uses, this basic computer certificate is the foundation for numerous IT services.