How to clean up missing CA from AD

Hello-
I have been managing a small network for about a year.  10 servers, 2 Win 2008R2 DCs, 1 Win 2003 DC, Exchange 2007.  The AD is in '2003' mode, i was planning to decom the last 2003 DC next week and move the AD to '2008R2' mode.  As i was looking over the eventlogs to clean up outstanding issues before the move, I have found an issue with my (inherited) CA infrastructure.
I transitioned my infrastructure from Exchange 2003 to Exchange 2007 a few months ago, and I properly removed the Exchange 2003 infrastructure from the AD.  I then reformatted and redeployed the server to a new role.  I did not realize that the prior admin or some other contractor had installed a CA on that server.  That CA is now gone, and no backups exist to restore.
I am seeing a few KDC eventID 20 errors ('he currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. ') in the eventlog of the server I am going to dcpromo to a member server, and similar errors on my two 2008R2 DCs.  I see in the local cert store DC certificates issued by that missing CA. The certificates expire in Nov 2010, so I have some time to deal with this, but am not sure how to proceed.  
My original plan was to bring up a proper 2-tier CA infrastructure with an offline root CA, but am not quite ready for that... unless I have to do that work to clean up this situation.
Where can I find the steps to clean this up (remove the lost CA)?  I can see the steps to decommission an existing CA, but I cannot recover my old one to properly decommission it.  I want to get it into a state where I can bring up a new CA for future use.

I find references to 'certutil -dcinfo deleteBad' to remove old certificates from the servers, but if I do that without a replacement CA infrastructure in place will I cause a big problem from which I cannot recover?

Thanks for any assistance----!
LVL 1
Paul_OlsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

If the CA is already off the network then skip to step 6.

Once the CA is out of AD, then run the certutil -dcinfo deletebad and reboot the DC and things  should clear up for you, the DCs will go back to running like there was never a CA installed.  You can install the new PKI when you are ready to do so properly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.