The previous sysadmin (now my boss) installed the CS role and created a self-signed CA cert on a DC to "play" with it. I need to decommission the DC (WS2008) and replace it with WS2012R2 and we don't want to migrate the CA if we don't have to.
There are active EFS certs for a handful of users as well as DC certs for the remote DCs.
My research leads me to believe this is the correct process to safely remove it from the domain:
Use cipher.exe to determine if any user files are encrypted and decrypt if necessary
Follow Microsoft's instructions to uninstall CA (revoke certs, etc.)
Delete DC certificates from the DCs
Delete EFS certificates from the users' machines
Is this correct? Are there any other caveats?