A little-known fact about Windows 2003 Standard and Enterprise is that Standard edition cannot be an Enterprise Root Certificate Authority.
If you see the need to use secure e-mail like S/MIME in the future and want to create your own user certificates to digitally sign e-mail and roll them out automatically, then XP stations and Windows 2003 Enterprise are in your sights.
The issues with remote users -- Outlook Web Access (OWA) and Terminal Server included -- make for digital signing of e-mails a kludge at best. Many third-party tools and software are available, but many have limitations and significant user input requirements. For example, there may be issues with respect to encryption in the Sent Items folder. Many people forget that e-mail sent is encrypted by the recipient's public key. If you need to review what was sent, that e-mail was encrypted with a key that you do not have the accompanying private key to decrypt and review the e-mail. The work around for this issue is sending a carbon copy of the e-mail to yourself, which is not practical for bandwidth and storage (most tend to forget to send themselves a copy anyway). For those users who will be on several different PCs or connecting back to the office via a Web browser and OWA or Terminal Server, then you have more issues to contend with (i.e., how many stations will need the third-party software installed?).
In an organization with several hundred people in several locations, issuing your own digital signature certificates via Auto Enrollment and Group Policy Objects (GPO) may make the investment of a DC Enterprise server a wise one. If you're using Exchange 2003, then you have a lot of the infrastructure (Active Directory) probably in place or have made plans to do so.
The ability to use existing Active Directory credentials for users, automatically have e-mail that is encrypted in the Sent Items and read by the sender after the fact, storage and archival of the keys and the time and effort saved in having users obtain their own keys is significant in cost. How do you deal with remote users in a Terminal Server session or OWA that need these features? Once again, issuing your own S/MIME digital signatures via GPO and publishing them to the directory allows them to be used in all of the above environments.
Once you have installed an Enterprise Root Certificate Authority, your next step is to become familiar with archiving keys and Auto Enrollment issues. If you already did this in the past with Key Management Service services and want to migrate to a new Exchange environment, then this link is a good starting point to address all of these issues.