Hello Garry O'Neill,
Thank you for posting in Q&A forum.
Q1: On the old CA all of the templates have been loaded but on the new CAs they are not.
Do I need to load all of the templates that I can see on the old CA server to the new CA servers?
A1: What did you mean "Load" all of the templates? Did you mean right click "Certificate Templates" container and select "New"-"Certificate Template to issue"? If so, you can load all of the templates because after the old CA was decommissioned, you will use new CA to issue certificates to all the end entities.
Q2: Are they all needed? Do I now need to add these to my new CAs?
A2: If these templates are using on old CA, you can load them now or before old CA decommissioned.
Maybe there are some certificate templates are on old CA, but it is not in use, and you will not use them in future, you do not need to load such certificate templates.
A3: Which suggests to me that all of those default ones don't really need to be loaded?
A3: If the default certificate templates are in use and you will need them in future, you need to load them.
Q4: And as part of the decommissioning process, do I then remove all of these templates from the old CA?
A4: I think you do not need. Because the certificate templates stored on AD configuration partition in the forest, you will need them on new CA.
Q5: would I then create a new user and computer template on each new CA server and then add the old user and computer templates as superseded templates?
A5: you can use the old user and computer templates or you can create/duplicate new user and computer template if any settings on old user and computer template did not meet your requirements.
Note:
1.Certificate templates are stored in AD configuration partition, all the PKI (if you have more than one PKI structures), all the PKI structure share the same templates.
2.On different CAs, you can use these templates on any CA server. You can also create/duplicate new certificate templates depending on the needs if needed on any CA server.
3.But the important thing is, before you decommissioned old CA, all the certificates issued by old CA server must be issued by new CA server if you still need these certificates to be working on the end entities.
Hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.