PAM requires a management forest of Windows 2012 R2 or above, called a bastion forest, which is trusted (one-way trust) by the existing corporate forest(s). The bastion forest must be highly secured and well managed, which is why a new forest is recommended.
Note
Microsoft's Best Practices for Securing Active Directory is a must read. Find it at http://bit.ly/SecuringAD.
If you already have a secured management forest, then it can be utilized for PAM, and a new management forest is not needed. More information on PAM with an existing Active Directory forest can be found at http://bit.ly/MIMPAMWithExistingDomains.
If you do not already have a management forest, you may be wondering why Microsoft requires another forest for PAM. There are two reasons: firstly, a new forest will be free from malicious activity, and secondly, a new forest will help restrict access in the existing corporate forest(s). Basically, we can get the best out of our existing forest(s) by assuming the...