![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 65%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
You can try to completely delete all your Old certificates. Certutil deletedbad will just remove old invalidate certificates from the DC.
Certutil tries to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed. So if you are sure and confident that you do not have CA requirements and Certificate requirement from the DC you run the command. However as a precaution step I would always backup my DC and servers before I run the command or script.
You can look into this thread for similar discussion https://social.technet.microsoft.com/Forums/systemcenter/en-US/ed1b00b9-8036-4812-bc3e-b96e52cee14a/old-certificate-server-in-large-ad-environment-not-properly-removed?forum=winserverDS
How to move a certification authority to another server https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/move-certification-authority-to-another-server
I hope this information helps. If you have any questions please let me know and I will be glad to help you out.
--------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
