question

I'm wondering if I have posted this question in the wrong forum or given the incorrect tagging, as I have not received any response or further questions or suggestions. I could not select any existing tag for pki, so selected something similar.

Posting as answer, because comments do not allow long responses, all quotes are based on OP comments:

why did Microsoft Tech (Severity A case) couldn't solve the case

I don't know, I don't work for Microsoft.

Only when I enabled the debugging, i read in the logs that the certificate is not within it's validity period error and it was pointing the Thumbprint of the expired cert.

in fact, it is normal behavior. When CA starts, it validates all its installed certificates and log into event viewer if any of them is not valid. However it doesn't mean that any action is required. CA will always sign its own renewal requests only using the most recent CA certificate, which is valid (as per your information). This means that your CA has a valid cert to sign the renewal request.

simple example is, if you remove the old certificate hash from the registry key then adcs service won't start.

that's right. And that's why I said that this operation is not supported by Microsoft, because there are hidden dependencies in CA database and there is no option to manage them. And having expired previous CA certs is not a problem. Here is one of my production CAs:

First certificate is expired, but it doesn't add any problems, because latest cert is ok.

I even spoke to MS Tech saying why don't we renew with new key pair, he didn't advise to do so because of smart cards.

they fooled you, unfortunately. I always against renewing CA cert with existing key pair, because it leads to ambiguous chains, when leaf cert's chain can be bound to older (expired) or newer (valid) root CA certs and chaining engine sometimes choose wrong chain and invalidate the certificate. Few proofs:
- https://mskb.pkisolutions.com/kb/329433
- https://support.microsoft.com/en-us/topic/-0x80092013-crypt-e-revocation-offlinea-error-message-when-you-try-to-verify-a-certificate-that-has-multiple-chains-in-windows-server-2008-or-in-windows-vista-9636f0e3-5347-db2d-d8c6-6b3cf200c099
- https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/secured-website-certificate-validation-fails

and this is the reason why I always recommend to renew with new key pair. New key pair results in an unambiguous single possible chain.

What I think is, the previous admin had generated many certs for the same name and not sure if each time he used new key pair or old key pair.

it is easy to track by analyzing "CA Version" extension of each CA certificate. If both numbers around the dot match, then new key pair was generated, if left-hand number is greater, then existing key pair was used.

Basically, you do not have a big problem since you are able to get renewal request for CA certificate. What you need to do is to submit request to parent CA, issue the certificate and install it on your CA. Since you have CA cluster, certificate must be installed on both nodes. This requires a little bit more frictions: when you install CA certificate to active node, backup CA certificates (using Backup CA option and choose only CA cert, without DB) and export CA certs in PFX format. Then import PFX on passive node. On a wizard page where you provide password to PFX check the option to mark private keys as exportable. It is essential part for CA certificate backup option.