Solution 1:

You need to be joined to a domain to be an Enterprise CA, but you do not need to be domain joined in order to be a standalone CA. An Enterprise CA adds features that come along with being integrated with Active Directory, but the downside is that you cannot take it offline as you would do with a high-security root CA.

Yes it is possible to install AD CS on the same server as a domain controller. But it is not really recommended. It's best practice to have a domain controller just being a domain controller. The more services you install on one system, the more services you will lose when that one system goes down.

Edit: You can also explore more robust designs, such as having an offline root CA, and an Enterprise issuing CA.