You have a Windows Server 2008 R2 Enterprise Root CA.
Security policy prevents port 443 and port 80 from being opened on domain controllers and on the
issuing CA .
You need to allow users to request certificates from a Web interface.
You install the Active Directory Certificate Services (AD CS) server role.
What should you do next?

A.
Configure the Online Responder Role Service on a member server.

B.
Configure the Online Responder Role Service on a domain controller.

C.
Configure the Certificate Enrollment Web Service role service on a member server.

D.
Configure the Certificate Enrollment Web Service role service on a domain controller.

Explanation:
http://technet.microsoft.com/en-us/library/dd759209.aspx
Certificate Enrollment Web Service Overview
The Certificate Enrollment Web Service is an ActiveDirectory Certificate Services (AD CS) role service that
enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the
Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client
computer is not a member of a domain or when a domain member is not connected to the domain.
Personal note:
since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment
Web Service role service on a plain member server