What is the purpose of an Offline Root CA (standalone non-member) w/ a Online Domain member Subordinate CA?
We are in the process of decom our AD 2003 DC's and one of them holds the Root CA role.
We want to segment the roles in the newly deployed machines (running 2008 R2) so when there are future upgrades to DC's and other machines we are not worried about the roles on that machine accept the one being decom.
So my colleague proposed and Standalone non-member Offline Root CA with an Online Member Subordinate CA. I am thinking it is overkill for our environment since we are only using the Cert for a wLAN PEP access to our IAS/NPS at the present time.