Hello,
Thank you so much for posting here.
According to this document:
"Note! You can also do some of these steps with Manage AD Containers in the Enterprise PKI snap-in , but there are some issues there (KRA entrys aren’t shown), so I’d stick to Active Directory Sites and Services."
So it is suggested that we could choose to remove old CA references in AD through Active Directory Sites and Service.
Besides, to do the AD clean, please logon into the system with account that have the permissions bellow:
1. Enterprise Administrator
2. Domain Administrator
3. Certificate Authority Administrator
4. Schema Administrator (The server that function as Schema Master FSMO should be online during the process)
For more information, we could refer to:
Manually remove old CA references in Active Directory
https://mssec.wordpress.com/2013/03/19/manually-remove-old-ca-references-in-active-directory/
How to remove manually Enterprise Windows Certificate Authority from Windows 2000/2003 Domain
https://support.microsoft.com/en-us/help/555151
How to decommission a Windows enterprise certification authority and remove all related objects
https://support.microsoft.com/en-us/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r
Hope the information is helpful. For any question, please feel free to contact us.
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Best regards,
Hannah Xiong