How to clean up missing CA from AD

Hello-
I have been managing a small network for about a year.  10 servers, 2 Win 2008R2 DCs, 1 Win 2003 DC, Exchange 2007.  The AD is in '2003' mode, i was planning to decom the last 2003 DC next week and move the AD to '2008R2' mode.  As i was looking over the eventlogs to clean up outstanding issues before the move, I have found an issue with my (inherited) CA infrastructure.
I transitioned my infrastructure from Exchange 2003 to Exchange 2007 a few months ago, and I properly removed the Exchange 2003 infrastructure from the AD.  I then reformatted and redeployed the server to a new role.  I did not realize that the prior admin or some other contractor had installed a CA on that server.  That CA is now gone, and no backups exist to restore.
I am seeing a few KDC eventID 20 errors ('he currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. ') in the eventlog of the server I am going to dcpromo to a member server, and similar errors on my two 2008R2 DCs.  I see in the local cert store DC certificates issued by that missing CA. The certificates expire in Nov 2010, so I have some time to deal with this, but am not sure how to proceed.  
My original plan was to bring up a proper 2-tier CA infrastructure with an offline root CA, but am not quite ready for that... unless I have to do that work to clean up this situation.
Where can I find the steps to clean this up (remove the lost CA)?  I can see the steps to decommission an existing CA, but I cannot recover my old one to properly decommission it.  I want to get it into a state where I can bring up a new CA for future use.

I find references to 'certutil -dcinfo deleteBad' to remove old certificates from the servers, but if I do that without a replacement CA infrastructure in place will I cause a big problem from which I cannot recover?

Thanks for any assistance----!
LVL 1
Paul_OlsonAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

If the CA is already off the network then skip to step 6.

Once the CA is out of AD, then run the certutil -dcinfo deletebad and reboot the DC and things  should clear up for you, the DCs will go back to running like there was never a CA installed.  You can install the new PKI when you are ready to do so properly.
0
All Courses

From novice to tech pro — start learning today.