I recently set up an EAP-TLS environment and had my certs auto enroll through a GPO.  It looks like a few of the default templates also sent certs to a few of my servers mainly templates Kerberos Authentication, Domain Controller and Directory Email Replication certs. What are these primarily used for and are they okay to leave as installed certs if we don't need them? I can remove them if needed I mainly did an auto enroll so I could hit all my desktops with the cert needed for access.

These certs might be used for any of the following scenarios:

1) LDAPS (LDAP over SSL)

2) Client smart card authentication (it is mutual process, so DC must have appropriate certificate).

3) Intrasite replication by using SMTP.

It is ok to leave them on DCs.

Great, thanks for the info. Paranoia usually gets the best of me!

I always advocate removing the default templates on CAs if the template purpose is not needed in your environment. The templates are stored in AD, so they can easily be added back in the future when needed.