Microsoft courses about their PKI implementation (Or AD Certificate Services as we should now call it) just scratches the surface by telling you the differences between root CA, subordinate CA and the stand-alone / entreprise difference that comes with the CA being member of a domain.
Some good links to refresh and go further are:
- the design guide where all starts
- the algorithm when validating a certificate, in particular if you are migrating from one CA to another
Some of these links come from the PKI team’s blog at Microsoft