We had an interesting thread internally on Untrusted Forests and hierarchies in System Center 2012 Configuration Manager. As part of that thread we discovered that Neil Peterson has a series of posts covering the various options. These are definitely worth reviewing if you're in the situation where you have to support Untrusted Forests:
- Blog 1 - Simple Management of a few cross forest clients (Lookup MP / SLP type functionality) -
- Blog 2 – More complex management of a larger number of cross forest clients (introduce forest discovery, cross forest system discovery, and cross forest client push installation).
- Blog 3 - Introducing the placement of Configuration Manager infrastructure (MP, DP) in the non-trusted forest environment.
- Blog 4 – Child site placement (Child Primary or Secondary) in the cross forest environment.
Keep in mind that if you setup untrusted forests to achieve security segregation (remember that the forest is the security boundary in AD), you may be breaching that segregation by managing everything with Configuration Manager. Doesn't mean you should look to use a single hierarchy in your environment; however, you should be clear on your requirements, including business, IT operations and security.