Kerberos uses certificates to encrypt communication between the Kerberos client and the Kerberos Key Distribution Center (KDC). If you’re domain controllers use certificate for KDC you can list them by runnning this script: $domains = (Get-ADForest).domains $dcs = (Get-ADForest).globalcatalogs $list