We recently had an issue with a Windows 2008 r2 domain controller, and since we had domain controllers in other sites, rather than troubleshoot this issue further, the domain controller was decommissioned with the intention of promoting from surviving domain controller copies at other sites.
However, after the server was decommissioned with metadata cleanup and this servers roles seized to other domain controllers, it was discovered that this server was the certificate authority ca for the Domain. How can I readd Certificate Services to the domain without in validating existing certificates and services? We do a fair amount of file encrypting and use the encrypting file system.
When we went to add Certificate Services to the new domain controller that was promoted to replace the failed DC, Certificate Services asks if we want to " create a new private key or use an existing one"
What is the best way to proceed without invalidating issued certificates, and to prevent existing encrypted data from becoming un-decryptable?