Q1: yes, it is necessary to create an autoenrollment policy when using custom template. However, you may not need to create a custom template. You can utilize "Kerberos Authentication" certificate template which should have proper key length. It already has all proper permissions. And remove "Domain Controller" and "Domain Controller Authentication" templates from CAs.
Q2: see above. Just remove unnecessary templates from CAs.