I set up a new PKI infrastructure using server 2012 including an offline root ca and an online intermediate ca however I've been looking into some issue today and see that I've also got a CA installed on a domain controller doesn't seem like a good thing to have?