Multiple CA's on Windows Server 2012
Solution 1:
You can only have one AD CS certificate server at a time on a single instance of Windows Server OS.
Edit: Also if you want to get serious about the physical security of the root CA, don't make it a VM. A VM can be booted up from the VM management console and then compromised. Make it a physical machine, use it to set up your policy CAs and issuing CAs, then pull the Ethernet cable out of the root CA machine and power it off. (Which you can't really do with an enterprise (AD-integrated) CA, but that's a whole different topic.)