I designed and implemented a fairly complex three-tier PKI, using Windows Server 2003 Certificate Services, a number of years back that proved to be a painful experience. At that time, there was not a lot of documentation available on MS Certificate Services. I recently stumbled across a couple of posts on the Ask the Directory Services Team Blog, which are worth a read of you’re dealing with PKI. They can be found here:

• Designing and Implementing a PKI: Part I Design and Planning
• Designing and Implementing a PKI: Part II