Your company hasan Active Directory forest.
You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the
Enterprise CA option is not available.
You need to install the AD CS role as an Enterprise CA.
What should you do first?

A.
Add the DNS Server role.

B.
Add the Active Directory Lightweight Directory Service (AD LDS) role.

C.
Add the Web server (IIS) role and the AD CS role.

D.
Join the server to the domain.

Explanation:
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/
Enterprise CA option is greyed out / unavailable
Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot
choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:

Well, you need to fulfill basic requirements:
Server machine has to be a member server(domain joined).
You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows
Edition. The difference is the number of ADCS features and components that can be
enabled. To get full functionality, you need to runon Enterprise or Data Center
Windows Server 2008 /R2/ Editions. It includes functionality like Role separation,
Certificate manager restrictions, Delegated enrollment agent restrictions,
Certificate enrollment across forests, Online Responder, Network Device
Enrollment.
In order to install an Enterprise CA, you must be amember of either Enterprise Admins
or Domain Admins in the forest root domain(either directly or through a group
nesting).
If issue still persists, there is probably a problem with getting correct credentials of your
account. There are many thing that can cause it (network blockage, domain settings, server
configuration, and other issues). In all cases I got, this troubleshooting helped perfectly:
First of all, carefully check all above requirements.
Secondly, install all available patches and Service Packswith Windows Update
before trying to install Enterprise CA.
Check network settings on the CA Server. If there is no DNS setting, Certificate
Authority Server cannot resolve and find domain.
Sufficient privileges for writing the Enterprise CAconfiguration information in AD
configuration partition are required. Determine if you are a member of the Enterprise
Admins or Domain Admins in the forest root domain. Think about the account you
are currently trying to install ADCS with. In fact,you may be sure, that your account is in
Enterprise Admins group, but check this how CA Server “sees” your account membership
by typing
whoami /groups.
You also need to be a member of local Administrators group. If you are not, you
wouldn’t be able to run Server Manager, but still needs to be checked.
View C:\windows\certocm.log file. There you can find helpful details on problems with
group membership. For example status of
ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that
needed memberships are not correct.
Don’t forget to check event vieweron CA Server side and look for red lines.
Verify that network devices or software&hardware firewallsare not blocking access
from/to server and Domain Controllers. If so, Certificate Authority Server may not be
communicating correctly with the domain. To check that, simply run
nltest /sc_verify:DomainName
Check also whether Server CA is connected to a writable Domain Controller.
Enterprise Admins groups is the most powerful groupand has ADCS required full control
permissions, but who knows – maybe someone changed default permissions? Run
adsiedit.msc on Domain Controller, connect to default context and first of all check
if CN=Public Key Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,
DC=Com container does exist. If so, check permissions for all subcontainers under
Public Key Service if Enterprise Admins group has full control permissions. The
main subcontainers to verify are Certificate Templates, OID, KRA containers.
If no above tips help, disjoin the server from domain and join again. Ultimately reinstall
operation system on CA Server.