Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and that CA then issued user/computer/smart card certificates for resources of the domain in question would they be trusted (i.e. would a certificate issued in this fashion work to authenticate to the domain) ?


Solution 1:

If all computers in the domain trust the root CA, then by definition they will trust every certificate signed by it, including that of a new sub-CA.

However, if the new sub-CA is not AD-integrated, some computers or applications could have issues in validating the whole CA chain up to the root; in order to fix this, you can deploy the sub-CA's certificate as a Trusted Intermediate Certification Authority using a GPO.