A couple of days ago my manager asked me to work on decommissioning our last Server 2008 domain controller. While going through the server's configuration, I realized that at some point in time in the past, someone had installed the Active Directory Certificate Services role and this server has been issuing certificates. Since certificate management is not something I have a lot of experience in, I have a couple of questions:
1. What is the best way to stop this certificate server from issuing new certificates?
2. In researching how to decommission a certificate authority, it looks like the process is to revoke the issued certificates and extend the life of the CRL. If I revoke the certificates on this CA server, will the computers whose certificates have been revoked automatically get new certificates from our actual CA server?