if you will not use this CA server you need to remove all related objects including CA certificates and CRLs.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks for the reply! I will remove the objects for this old CA server Would I still need to perform Step 7: Delete certificates published to the NtAuthCertificates object?

yes, you need to perform all step specified in the KB article.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, I'm in the process of decommissioning one of our old domain controllers but it holds CA. We also have another CA server which is still in use on another server which I don't want to decommission. I’ve been follow http://support.microsoft.com/kb/889250. On the CA server I want to decommission, I've revoked all the certs, confirmed that all the certs have expired, and uninstalled the service as directed in the KB and have got as far as Step 6: Remove CA objects from Active Directory. The question I have is, do I only remove the object for the CA server I've decommission from the steps below or do I leave it in there? Remove all Certification Services objects from Active Directory Note You should not remove certificate templates from Active Directory until after you remove all CA objects in the Active Directory forest. To remove all Certification Services objects from Active Directory, follow these steps: 1. Determine the CACommonName of the CA. To do this, follow these steps: a. Click Start, click Run, type cmd in the Open box, and then click OK. b. Type certutil, and then press ENTER. c. Make a note of the Name value that belongs to your CA. You will need the CACommonName for later steps in this procedure. 2. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. 3. On the View menu, click Show Services Node. 4. Expand Services, expand Public Key Services, and then click the AIA folder. 5. In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes. 6. In the left pane of the Active Directory Sites and Services MMC snap-in, click the CDP folder. 7. In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click Delete, and then click Yes two times. 8. In the left pane of the Active Directory Sites and Services MMC snap-in, click the Certification Authorities node. 9. In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes. 10. In the left pane of the Active Directory Sites and Services MMC snap-in, click the Enrollment Services node. 11. In the right pane, verify that the pKIEnrollmentService object for your CA was removed when Certificate Services was uninstalled. If the object is not deleted, right-click the object, click Delete, and then click Yes.