We have installed certs on all our AD controllers, mostly so we could do password change operations over LDAP.