Design SCCM 2007 in multiple forests deployment

• I have collected this from here and there, I had the chance to plan a deployment in 4 forest network, SCCM was deployed in central forest, and clients will be distribute across other 3, so I decided to go with mixed mode secondary site in each forest, so here is the design/configuration notes:
• 1.1 External Forests Design:
• Deploying Configuration Manager 2007 across multiple Active Directory forests, plan for the following considerations when designing your Configuration Manager 2007 hierarchy:
• · Communications within a Configuration Manager 2007 site
• · Communications between Configuration Manager 2007 sites
• · Support for clients across forests
• · Configuring clients across Active Directory forests
• · Approving clients (mixed mode) across Active Directory forests
• · Roaming support across Active Directory forests
• · Cross-Forest Communications between Configuration Manager Sites
• Data is sent between sites in a Configuration Manager 2007 hierarchy to enable central administration within a distributed model. For example, advertisements and packages flow down from a primary site to a child primary site, and inventory data from child primary sites are sent up to the central primary site. This information is sent between site servers in the hierarchy when the site communicates with a parent or child site. Data sent between sites is signed by default, and because sites in different Active Directory forests cannot automatically retrieve keys from Active Directory, manual key exchange using the hierarchy maintenance tool (Preinst.exe) is required to configure inter-site communication.
• When one or more sites in the Configuration Manager 2007 hierarchy reside within a different Active Directory forest, Windows user accounts has to be configured to act as addresses for site-to-site communications except in the following scenario:
• Important
• All Active Directory forests are configured for the forest functional level of Windows Server 2003 and have a two-way forest trust
• The same design concept applied to branch offices will be applied to forests, it is recommended to have a secondary site in each forest with clients less than 200 and child sites for client with more than 200 clients.
• Note
• Distribution point cannot be installed by itself in remote forest.
• 1.1.1 Client assignment in multiple forests:
• If the clients will not roam from one forest to another during the assignment process, then you can extend the AD schema in your new forest and the clients in this forest will find their site and assign successfully (on the assumption that they all domain-joined and not workgroup computers). If the clients are the network in the original forest during assignment, this won't work - they will need to obtain site information from a SLP.
• Once assigned, clients in the second forest then need to find their default management point. If they are on the second forest network and the schema is extended, they will find their default management point from AD. However, if they are on the original forest network, locating the default management point via AD will probably fail (although I'm not 100% sure of this - could they locate a GC server in their own forest?), and they will need an alternative mechanism - which could be DNS, or SLP, or WINS.
• For the clients in order to be assigned the following must be configured correctly:
• · Boundaries must not overlap between sites.
• · Extended AD in each forest.
• · Make sure that you have a SLP for the hierarchy (central site) and that clients can locate as their backup mechanism for service location (easiest way is to assign it during client installation)
• · Make sure that DNS resolves all server names between the different namespaces (eg forwarders, stub zones, or root hints)
• · Configure DNS publishing for the default management point, and specify the DNS suffix for the client during installation
• With this combination, clients will try to use their local AD for site assignment and locating a management point. If this fails, they will use the SLP for site assignment, and DNS for locating the management point.
• 1.1.2 Accounts and Security requirements:
• In order to allow the communication between sites in different forest the following criteria has to be met:
• · All Active Directory forests are configured for the forest functional level of Windows Server 2003 and have a two-way forest trust.
• · Sender address accounts to use domain user accounts that are valid within the target forest to enable site-to-site communication.
• · The sender account has to be local administrator on each server with child site role installed.