Существует статья от MS, описывающая полный процесс декомиссии.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

Здесь вынесена выдержка о том, как можно почистить присутствие бывшего ЦС через ADSI-edit.

При этом, подключаться надо не к default naming context, а к configuration, как показано на скрине.

Нужно удалять следующие атрибуты в соответствующих местах расположения.

certificateAuthority object

Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain. Contains the CA certificate for the CA. Published Authority Information Access (AIA) location.

crlDistributionPoint object

Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CRL periodically published by the CA.
Published CRL Distribution Point (CDP) location.

certificationAuthority object

Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CA certificate for the CA.

pKIEnrollmentService object

Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Created by the enterprise CA.
Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.