Creating a Certificate Authority out of a Domain Controller is not recommended by Microsoft but small shops might not want to install a whole server for just the CA role.
One reason is because, once a machine is promoted to a DC, there are no local accounts; used by IIS. There is a workaround published in MS KB946139, however the SamUpgradeTask.js script won’t run on domains operating in a mode higher than Windows Server 2003 mode.
To work around this, you can modify the code in the script.
1. Copy and paste the SamUpgradeTask code (from the KB article) into a new notepad file and save it as SamUpgradeTask.js.
2. Look for the line:
if ( domainControllerFunctionality > 2 )
3. Change the 2 to a 6
4. Execute the script.
5. Reboot the server.
To add a user to IIS_IUSRS local group on a DC.
1. Launch AD Users and Computers.
2. Expand mydomain.co.uk.
3. Click Builtin.
4. Double-Click IIS_IUSRS.
5. Select Members tab.
6. Click Add…
7. Add your required user.
8. Click OK and OK.