Cut to the chase - my request for consultant time to upgrade our ZEN was rejected, and while most of the upgrade went well enough it seems I didn't know to migrate the CA before removing Zen from the old server. That was weeks ago and we deleted the snapshot on that server but the VM still exists. I can restore from the last backup in an attempt to recover export the CA; from there the instructions are pretty straightforward. It seems like I need to bring it up in isolation; the last time I was forced to experiment with a copy of the server I lost control of all my workstations. That means I would need to also bring up a copy of the database server and AD server (DB connection uses an AD account for authentication), complicating the heck out of things. Or will there be enough of ZEN up without the database to export the CA?

My other option (AFAIK) is to use a new external certificate (what we were planning to add anyway) and build a new CA using that on the new server. Of course that would mean un-registering and re-registering all the workstations (about 245 desktops and 110 laptops). I can script most of that with system internals tools and have it done over the weekend, at least the desktops and some of the laptops.

Have I missed anything? Is one or the other of these a really bad idea?