AD CS is Microsoft's PKI implementation — issues internal certificates for users, computers, and services within an AD environment.
AD CS misconfigurations are a major attack vector (ESC1–ESC8 vulnerabilities). Certificate templates with excessive permissions can lead to domain compromise. Audit AD CS regularly.