Have a 2012R2 DC that has a CA role installed, that is heading to decommission. Cannot uninstall the DC role until the CA role is removed. There are only 3 certificates issued on it, all for 3 existing DC's in AD, generated using the default DC template, one of which is this one for decommission. This CA apparently was only used to generate a local SSL certificate for an exchange server, and i am not 100% clear on exactly what the DC certificates are used for. I'm hoping to revoke the certificates but i have no idea what impact that will have on the two remaining DC's. Do the DC certificates auto-renew at expiration? I thought about migrating the CA to another server, but if it's not being used for the exchange anymore, what is the point in keeping it? The hardware has to go and it's one less thing to worry about. How should i approach the certificates for the DC's? If i revoke them, and begin removing the CA role, what can i expect to happen to the DC's? anything or nothing?
