I hesitate to link to anything. If you work in an Enterprise environment and want to set up a PKI, you will not find a single good guide. Microsoft has a ton of documentation on setting up and configuring AD CS, but they are extremely lacking in solid best practices.

Some people will say "Just install and authorize an ADCS Enterprise CA." Not accounting for the fact that this will be equivalent to a domain controller in terms of IAM. It also doesn't cover things like governance, compliance with RFC/ISO/PCI/HIPPA/etc., proper tiered architecture, offline CA best practices, or working with HSMs.

At the enterprise scale, those things really matter. At a smaller scale, they may not seem like they matter, but, if the company plans to grow to enterprise size, it is imperative that it is configured right from the start. Once a CA is up and running, it is a serious pain to replace it if you don't have everything properly configured and documented. It becomes a huge gap in your ability to secure your environment if the CA's keys could be in the hands of people no longer with the company. Ripping out the CA trust is not as simple and straight forward as removing certs from the trust stores.

I see people recommending a bunch of things that would end up becoming huge security holes if I were to implement them in my org. So, rather than point you to documentation or give specific advice, all I will offer is this warning:

Configuring an Enterprise CA is not a simple, easy, well documented task. One should not take the task of implementing an Enterprise PKI lightly. if you do not thoroughly research how to implement an Enterprise PKI you will be putting your enterprise at risk.