I installed another Root-CA in the existing Forest. It is a W2K8R2 CA [enterprise].
I was trying to follow the step provided by Microsoft "How to demote a W2K3 CA" and I am at step 9 - Clean up DC
http://support.microsoft.com/kb/889250?wa=wsignin1.0
I found all the DC was issued with a new Cert from the old CA and it is not yet expire but I have already demoted the old CA.
I tried certutil -dcinfo deletebad...and it is not deleting it.
My questions are:
1) Is there a way to safely remove those certs from the old CA?
2) If I remove it, will that cause any issues? They are production servers.
Much appreciated.