Do I need Active Directory Certificate Services

I have an AD setup that apparently has a vulnerability related to the Certificate Services feature. Thinking back through the MS Server courses I've sat, I don't remember anything on it, so I dug about online and I'm leaning towards "no".

I do not generate certs in-house for anything - workstations are allowed to Self-Sign, and my parent org has steps to follow for generating cert requests locally on our servers to be passed up the chain to a third-party CA. This seems to be the primary function of ADCS, and I don't appear to use it.

Users do not use PKI, only username and password, and it seems as if ADCS has something to do with authenticating CAs associated with smart card tokens. I might be mistaken, and it has nothing to do with this.

So is it safe to just remove ADCS? I believe it's just installed by default if you promote something to a Domain Controller (or at least add the role), but I can't think of any time I've interacted with it.

The DCs run Server 2012 and 2019 (with the former on the chopping block sometime in the near future, to be replaced by a Server 2019 one).

Solution 1:

It is safe to remove Active Directory Certificate Services. If you don't use it for any certifications you can remove it. We have removed it in our company recently when we changed our Domain Controllers and DHCP server, and everything is working just fine.