You'll want to locate a copy of Brian Komar's book on Windows PKI; offline root is not hard, but many things in AD:CS land are more mysterious than they ought to be.
Personally I don't like AD:CS for an offline root, oddly bound-up in the OS guts as it is, and with an architecture-dependent cert db; just use openssl to gin up the root, and use AD:CS for issuance / online operations.
Personally I don't like AD:CS for an offline root, oddly bound-up in the OS guts as it is, and with an architecture-dependent cert db; just use openssl to gin up the root, and use AD:CS for issuance / online operations.