Our old enterprise root CA is no longer is service, so our domain controllers cannot renew their expired certificates as a "valid certification (CA) configured to issue certificates based on this template cannot be located..." Since the original Enterprise CA cannot be recovered, can I make one of our new DCs an Enterprise Root CA? I'm thinking that it will then be able to issue new certificates and I can delete these old expired certificates? Thanks!!

Its best practice not to install any other roles in the domain controller. Moreover after installing ADCS role on your DC the Domain Controller can no longer be renamed or demoted.

Its best practice not to install any other roles in the domain controller. Moreover after installing ADCS role on your DC the Domain Controller can no longer be renamed or demoted.

Thank you for the suggestion, I will not install ADCS on our DC. Once I do install ADCS on another server, what process should I follow to make sure that our DCs autoenroll with it rather than the old Enterprise CA?

Is your old CA functional? If the new CA(which you are going to configure) is the only CA in your environment then the domain controller certificate should be auto-enrolled. If its not auto-enrolling please check: 1) If the Domain Controller template is configured for auto-enrollment for domain controller machines. 2) If the CA is configured to Issue the domain controller template. 3) If auto-enrollment feature is configured for computer accounts for your domain. 4) Do a gpupdate /force. You can refer to the below link for cleaning up expired domain controller certificates, but before deleting this make sure its safe to delete this certificate: http://technet.microsoft.com/en-us/library/cc783979(v=ws.10).aspx

Is your old CA functional? If the new CA(which you are going to configure) is the only CA in your environment then the domain controller certificate should be auto-enrolled. If its not auto-enrolling please check: 1) If the Domain Controller template is configured for auto-enrollment for domain controller machines. 2) If the CA is configured to Issue the domain controller template. 3) If auto-enrollment feature is configured for computer accounts for your domain. 4) Do a gpupdate /force. You can refer to the below link for cleaning up expired domain controller certificates, but before deleting this make sure its safe to delete this certificate: http://technet.microsoft.com/en-us/library/cc783979(v=ws.10).aspx

Our old CA is not functional. Thank you for your suggestions, I will build a new CA and clean up the old certifcates once I see that the new CA is auto-enrolling.