do i really NEED "certificate services" for my 2008r2 domain ?

[troyquigley]

i was wondering if i really NEED to install the certificate services role in 2008r2

what do i lose by not having it, and what do i gain by using it ?

 

[Eickst]

It's not something you just turn on, if you're not willing to plan out a proper PKI then I wouldn't worry about it.

The only time I have ever used them is for EAP-TLS wireless authentication. And if you go for PEAP instead you can just use a standalone CA.

 

[cyr0n_k0r]

enterprise certificates are no joke. If you're going to do it, do it right.

Set up a root CA, with sub CA's and configure your GPO's correctly. EAP-TLS wireless authentication is just one of the benefits of signing your own certificates for your domain.

How many users/devices and how big would the deployment be?

 

[DragonNOA1]

As people have stated, you lose the ability to give any server or service a cert; certain wireless auth/encryption types being the most used services that require certs.

 

[troyquigley]

i forgot to give enough relevant info.

we will NOT be using NPS (tried it and hated it)

we don't host our own website or email.

we are a small 40 desktop network with some people that connect via vpn, strictly to send in orders.

 

[ElvisG]

If you have to ask people on an Internet forum then no you don't need to use it. Like others have said, you better know what your dealing with PRIOR to installing AD CS. AD CS isn't like installing DHCP or IIS. My suggestion to you is to go buy a 70-640 book and read.