dsstore will let you list, add, and delete Enterprise Root CAs; maintain certificate revocation lists (CRLs) in AD; and add Win2K CAs or offline CAs to the enterprise PKI stored in your Active Directory. W2K will automatically enroll a user and computer when an operation starts that requires a certificate. You can proactively enroll users using dsstore. You can do problem solving to check the status of DCs certificates and verify the validity of smart cards.
Troubleshooting Windows 2000 PKI Deployment and Smart Card Logon
The Dsstore Tool May Not Work If the NetBIOS Name and the DNS Domain Name Are Different
How to Install a Windows 2000 Certificate Services Offline Root Certificate Authority
Windows 2000 Certificate Services