The main issue occurs when revoking the sub ca. In case of security issue, if you revoke this kind of Sub CA, you impact all certificates and not just users or computers.

Hello thank you very much for that great crash course. Could you please give me an example where it is a problem to use the same Sub CA to sign both computer and user certificates in a middle size enterprise, where users and computers are both managed by the same person? I’m asking because I wanted to use a (Windows 2019) Sub-CA on the main DC for signing both user and computer certs, in order to concentrate FSMO roles and the private keys of the sub-CA on the same VM, so I always know which one is the most important to backup.