This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Is there a command to see servers with Certificate Authority Web Enrollment and/or Certificate Enrollment Web Service roles? I see that certutil.exe has a "Web Enrollment Servers" section is that where servers with the "Certificate Enrollment Web Service" should be listed? How about "Certificate Authority Web Enrollment"?
The simple answer is "no". Only CA role is registered in AD, thus CAs support auto-discovery. Other ADCS roles are not registered and doesn't support auto-discovery.
I guess you could query ad for computers that have delegation enabled on the computer object to narrow down the roles. What roles besides "Certificate Authority Web Enrollment" require the computer account to have delegation enabled?
This is the least reliable lookup option. ADCS web services apps often use service accounts with configured delegation. In addition, web services not always require delegation at all.