Your company has an Active Directory forest.
You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone
server.
When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that
the Enterprise CA option is not available.
You need to install the AD CS role as an Enterprise CA.
What should you do first?

A.
Add the DNS Server role.

B.
Add the Active Directory Lightweight Directory Service (AD LDS) role.

C.
Add the Web server (IIS) role and the AD CS role.

D.
Join the server to the domain.

Explanation:
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/
Enterprise CA option is greyed out / unavailable
Many times, administrators ask me what to do when installing Active Directory Certificate
Services they cannot choose to install Enterprise Certification Authority, because it’s
unavailable as in following picture:

Well, you need to fulfill basic requirements:
Server machine has to be a member server (domain joined).
You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition.
The difference is the number of ADCS features and components that can be enabled. To get
full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /R2/
Editions. It includes functionality like Role separation, Certificate manager restrictions,
Delegated enrollment agent restrictions, Certificate enrollment across forests, Online
Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a
member of either Enterprise Admins or Domain Admins in the forest root domain (either
directly or through a group nesting).
If issue still persists, there is probably a problem with getting correct credentials of your
account. There are many thing that can cause it (network blockage, domain settings, server
configuration, and other issues). In all cases I got, this troubleshooting helped perfectly:
First of all, carefully check all above requirements.
Secondly, install all available patches and Service Packs with Windows Update before trying
to install Enterprise CA.
Check network settings on the CA Server. If there is no DNS setting, Certificate
Authority Server cannot resolve and find domain.
Sufficient privileges for writing the Enterprise CA configuration information in AD
configuration partition are required. Determine if you are a member of the Enterprise Admins
or Domain Admins in the forest root domain. Think about the account you are currently trying
to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins
group, but check this how CA Server “sees” your account membership by typing whoami
/groups.

You also need to be a member of local Administrators group. If you are not, you wouldn’t be
able to run Server Manager, but still needs to be checked.
View C:\windows\certocm.log file. There you can find helpful details on problems with group
membership. For example status of
ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed
memberships are not correct.
Don’t forget to check event viewer on CA Server side and look for red lines.
Verify that network devices or software&hardware firewalls are not blocking access from/to
server and Domain Controllers. If so, Certificate Authority Server may not be communicating
correctly with the domain. To check that, simply run nltest /sc_verify:DomainName
Check also whether Server CA is connected to a writable Domain Controller.
Enterprise Admins groups is the most powerful group and has ADCS required full control
permissions, but who knows – maybe someone changed default permissions? Run
adsiedit.msc on Domain Controller, connect to default context and first of all check if
CN=Public Key
Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does
exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise
Admins group has full control permissions. The main subcontainers to verify are Certificate
Templates, OID, KRA containers.
If no above tips help, disjoin the server from domain and join again. Ultimately reinstall
operation system on CA Server.