When old CA was not correctly decomissioned
You can check for all CA in domain by Running the following command from a CMD prompt: “certutil -config – -ping” it will prompt you with all the CA available in the organisation.
To remove from domain Open PKIView.msc, right-click on root node and select Manage AD Containers. Go through all tabs and remove items related to old CA. I have used this on Windows 2008 Server.