Hello, in an AD environment i found old Windows CA entries from a test system (the test system don't exist any more) I removed the AD entries as explained here http://support.microsoft.com/kb/555151/en-us Now i still see on the DC with 'certutil -dcinfo' both certs (the old one and the new one). And the KDC entry from the new CA I probably have to remove the old CA entry with "certutil -dcinfo deleteBad" But how can i test before, which entry will be deleted. I Want to be sure, that the command will delete the old CA entry and not the new one The output from certutil -dcinfo verbose was not helpful for me Thanks in advance Boris

the command will delete invalid certificates (which cannot pass certificate chaining engine checking). Therefore if new certificate is marked as valid, it will remains after command completion.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Bute where can i see (before using this command) which certificates are valid for the computer? in the certficate-mmc-snapin both look valid

The problem has been solved by itself. The old cert no longer exist. Probably in the night an automatic internal AD job has cleaned the cert-database thanks borris