If anyone gets an access denied error at the last step (certutil -crl), then please reboot your Issuing CA server once and then issue the command again. I had this issue and apparently several other users had this too per various forums.
Thanks for the guide. One question. If the IIS is already configured on the webserver on Part 3 for publishing AIA & CDP, then why are you installing webenrollment again on the issuing CA server ? Does it make more sense to use the webserver for webenrollment ?