I have a scenario in which I would like some advice before moving on. We have a Server 2012 root CA that was put in about a year-year and a half ago and at the same time there was another 2008 R2 root CA that was installed on a DC that was hosting FSMO roles. Well that DC started to die so we transferred the FSMO roles and removed certificate services. However, we only uninstalled the role but as I understand, there is a bit of cleanup to do in AD beyond just removing the role. So when we started to perform the first step, I noticed remnants of old servers that are no longer around. I've discovered that our previous admin had made 3 other servers (I believe all 2003) that have all completely gone away and yet are still listed in the Trusted Root Certification Authorities on all computers and I find in the event log the following error when I log in to our domain machines of them trying to contact each of the old CA servers:
Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from server.domain.org\server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
Now I have no way of knowing whether or not this admin actually properly removed the role before decommissioning these servers and I have no idea why we needed so many servers to be root CA's in the first place? Anyhow, I was wondering if the proper procedure would be to remove the root trusted certs from group policy and then clean up the remnant entries in AD as described in the Microsoft documentation of removing a root CA from your environment. I still see some errors and machines requesting to check for stuff like CRL with the most recent root CA that we removed so I just wanted to check to see if all of these errors will go away once we finish the cleanup and if there is anything special that needs to be done for the potentially orphaned root CA's. We did take a backup of the 2008R2 CA (the one that was on the dying DC) before we removed the role and I have confirmed that our production CA (the one that we would like to remain in production - is a sub CA of an offline root) has already issued new machine and DC certs to our domain machinese and domain controllers.
Sorry for the lengthy post. Please let me know if any more information is required and thank you in advance!