Before starting the deployment, it is important to decide on the operation boundaries as the PKI design can reflect it. We need to decide under which domain, forest, or network segment it will operate. Once the boundaries are defined, it can be hard to extend it later without any physical or logical network layer changes. As an example, if you have a CA in the perimeter network and if you need to extend the boundary to corporate network it will require network boundary changes. In another example, if a partner company or third party wants to use the corporate CA, it will require the AD CS role changes, firewall changes, network routing changes, DNS changes, and so on. Therefore, it's important to evaluate these types of operation ...