Many months ago I was tasked with implementing a 3-tier Certificate Authority for a large Windows domain environment. Unfortunately there is surprisingly little information for the nitty-gritty questions one may have. The Microsoft Press book Windows Server® 2008 PKI and Certificate Security proved quite useful, but at times lacking. (This book seems to have been discontinued, thus outrageous pricing; add a comment if you want a link to the eBook.) The Corelan Team site added more insight and was quite useful as well.
Here is the document I created detailing our setup and configuration process (using generic server names and Contoso as the company). Please review the entire document first, should use it for reference. Please note: this document is unsupported and is meant only as a guide.
Should you post questions here, I will do my best to answer them or help point you in the correct direction. This project took place almost a year ago and I'm no longer on site to examine the configuration, so please understand if I may not be able to shed light into the darkest corners of CA voodoo.
Ps. Thanks to SL @ TM for his time and trust with this project.