Publishing Certificates and CRLs
An enterprise CA uses AD to store and publish certificates, complete CRLs, and delta CRLs. Both a standalone CA and an enterprise CA can also publish to the file system. Each certificate published in AD automatically maps to the Windows account of its requestor. AD adds the certificate to the multivalued userCertificate attribute of a user or inetOrgPerson AD object. However, not every certificate that an enterprise CA generates is automatically published in AD. Examples of certificates that aren't automatically published are an enrollment agent or certificate trust list (CTL) signing certificate.
A standalone CA can publish issued certificates to AD, but this step isn't the default behavior. A standalone CA will automatically publish certificates to AD only if an enterprise administrator installs the CA on a member server joined to the domain. You can obviously always publish the certificates manually to AD.
The Best CA for the Job
Now that you're aware of the differences between an enterprise CA and a standalone CA, you can pick the best option for your situation. A Windows 2003 enterprise CA typically is best suited for enterprise certificate users who have an AD user account and who use Kerberos to authenticate to the AD infrastructure. A Windows 2003 standalone CA typically is best suited for external users (e.g., extranet users) who don't have an internal Windows account.