Designing to support nontrusted forests
In addition to supporting communication from clients that are in trusted forests, Configuration Manager also supports communication from clients that are in an un-trusted forest from the site server.
Configuration Manager will support the installation of site system roles in another nontrusted forest with two exceptions. The first is the application catalog web service point and the other is the out of band service point. Both of these roles must be installed in the same forest as the site server.
When you are deploying a management point in an un-trusted forest, it is very important that you configure a connection account to enable the management point to obtain information from the database. Make sure the domain account has permission in the database. This is the same for the enrollment point as well. You must also ensure that you use an account that has administrative permissions on the target server in the target domain to complete the installation.
You cannot deploy site systems, such as the central administration site, primary site, and secondary site across un-trusted forest boundaries. Only site system roles can be deployed in un-trusted forest scenarios.
