Hello,
Thank you so much for your feedback.
As Dave mentioned, the CA server should be on a member server in a domain environment. Usually there will be Single Tier PKI Hierarchy Deployment and Two Tier PKI Hierarchy Deployment.
There are four computers involved in this single-tier PKI hierarchy as shown below. The CA server is on a member server.
There are five computers involved in this two-tier PKI hierarchy lab as shown below.
In this two-tier PKI hierarchy, Standalone Offline Root CA will be configured. The standalone offline root CA should not be installed in the domain, so it is on a stand alone server.
We are wondering whether you have any doubt about standalone offline root CA. For more information, please refer to:
ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
Hope the information is helpful. For any question, please feel free to contact us.