Designing to support trusted forests

Configuration Manager supports the deployment of site servers, such as the primary site and the secondary site across different forests when two-way trust is established between the two forests.

When you want to support multiple forests and a two-way trust exists, Configuration Manager does not require any additional configuration provided any firewalls have the appropriate ports opened and name resolution works between the forests. By default, Configuration Manager, even in this scenario, will configure the database replication between the sites and also the intersite file replication.

If you do not require a site system in the other forest, then Configuration Manager also supports the placement of site system roles in these environments. It may be overkill to provide the services of a primary site in another forest. When this situation arises, use the same rules to determine if you place a distribution point or a secondary site out in that forest; just because it's a different forest, it doesn't change how you treat that environment.

Additionally, with Configuration Manager 2012 R2, you can add multiple network access accounts, which can help with the support of trusted forests.

When clients are not in the same forest as the site server, Configuration Manager supports the following scenarios:

Clients that are members of an Active Directory domain can use Active Directory for service location when the site is published to their Active Directory forest. You can also publish site information to untrusted forests. Additional forests can be specified in the console other than the forest where the site server is installed. This can be done from within the Active Directory Forests node in the Administration workspace. Any forests that you specify in this node will be picked up by the Active Directory Forest Discovery Agent if it is enabled.