many things can go wrong I guess.
without prior experience and background in PKI -- most likely.
What about configure a new certificate system instead, and deploy user and machine certificates
it is an option since your environment is not large. Setup a brand new CA, distribute new root CA certificate to all non-domain devices (it will be automatically propagated to domain users and computers) and start certificate replacement. though, before installing new CA, I would recommend to read my blog post on designing CDP/AIA extensions since they are root causes of CA migration complications. Properly designed and implemented CDP/AIA extensions make migration much easier. Here is the link: https://www.sysadmins.lv/blog-en/designing-crl-distribution-points-and-authority-information-access-locations.aspx
After installing new CA (you will have to keep both CAs side-by-side until all certificates are replaced), add same templates for issuance as shown in Certificate Templates folder (certsrv.msc) on old CA. Then clear all templates from old CA. This will ensure that old CA won't issue any new certificate and all certificates will be issued only by new CA.
After all certificates are replaced with certs from new CA, you can decommission old CA: https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx. Don't skip this process.
Not sure if they are also using it for VPN, is there a easy way to check this without talking to the network/ASA guys ?
in CA management console (certsrv.msc) go to Issued Certificates folder and filter time-valid certificates (which are not yet expired) using View->Filter menu command. Analyze all certificates, this may give you clues where and the purpose certificates are issued for.
its because we have some static configuration here and there
it is the result of poorly designed network and operations. In my networks I rarely refer to IP addresses. Instead, I register every IP-capable device (PCs, servers, network devices, etc.) in DNS and refer to these devices by name only. This gives me a freedom in IP addressing and I can switch to another IP almost without interruptions.