The Root CA is domain joined. The Sub CA will be domain joined. The Sub CA will deliver workstation Authentification (template) to PC clients via GPO.
Is there any known issue with this configuration? Should the root CA be only standalone? I know the security recommendation for the root CA to be standalone but is there any operational issue if it's domain joined?
Is there any known issue with this configuration?
No.
Should the root CA be only standalone?
This is not mandatory at all.
Is there any operational issue if it's domain joined?
If you have multiple AD-integrated CAs (regardless of their level in the PKI hierarchy), you will need to manage certificate templates, enrolling permissions and auto-enrollment policies so that users and computers get their certificates from the correct CA.
