Greetings, I'm managing a Win08/R2 single forest/single domain that has been around for several years. An administrator before my time once installed an Enterprise CA on the, at the time, Win03 DC. Later it was removed, and the DC was eventually demoted and retired. The root cert generated by this CA is now long expired, and i'm not concerned with any certs related to this CA instance. At this point, there are no CAs in the domain. Now, we are interested in setting up a new Enterprise CA for the domain, and i want to cleanup AD. Found the nice article http://support.microsoft.com/kb/555151 and followed the steps in it. The AIA, CDP, Cert Templates, Cert Authorities, Enrollment Services are all empty now. However, i'm seeing a couple of objects the article doesn't address, and want to know if they are safe to delete. 1) In the AD Sites and Services/Services/Public Key Services container, i see an OID container with 10 empty objects of object class "msPKI-Enterprise-Oid". Is it safe to, and should these be deleted, leaving the parent "OID" container there empty? 2) I also see a KRA container with two "msPKI-PrivateKeyRecoveryAgent" class objects, one with the name of the old CA cert and one with the name of the old retired DC. Is it safe to, and should these two be deleted, leaving the parent "KRA" container there empty? Thanks for any advice...

1) if your previous PKI was decomissioned, it is safe to remove all subcontainers within OID container. Once you install new PKI, installation wizard will add defeult OID values. 2) defenitely yes, because old PKI is decomissioned.http://en-us.sysadmins.lv