AD CS - How is the root CA certificate distributed to clients?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I'm trying to find out how the root CA is distributed to client computers?

I found a TechNet article: Enterprise certification authorities: Public Key that reads:

But in my lab I looked inside Default Domain Policy and can't find the CA certificate setting anywhere. I also disabled Default Domain Policy link in my domain and regenerated new CA certificate and it propagated to my lab workstation. So effectively, the CA certificate is distributed to clients even if all the GPO objects in a domain are disabled.

Can someone explain how AD CS distributes certificates to domain computers?

I'm currently doing some work with AD CS and while it's all working (good) and certificates are distributed to clients properly, I'd like to understand how.