Hi,
I built 2 PKI environment in my lab .
Single tier PKI with one Enterprise CA, you can configure the CA on the DCs or a member server if you have additional servers.
Two tier PKI with one Offline Root CA and an Enterprise CA
For how to build the PKI, you can refer to the following links (step by step) , which one to choose, that depends on your requirements :
Best Regards,