By default our 2008 DC's are using the default Domain Controller cert which offers 1024 bit RSA. Our latest scans report this as a low vulbnerability, but to try to be proactive we wish to move to 2048.

Unfortunately there is no way of editing the default template, and whilst we have a Domain Controller Autentication template and Directory E-mail Replication template which both offer the desired levels of encryption, we're having trouble forcing our DC's to choose either of these over the domain controller template.

Is the simplest way to achieve this to delete the Domain Controller template from being advertised? or would this cause more problems then it could hopefully solve?