You do not have to deploy Microsoft CAs in a forest to deploy certificates for domain controllers. For example, if your organization has two forests (as shown in Figure 26-2), you can manually request and issue domain controller certificates to the three domain controllers in the extranet.fabrikam.com forest from the CA hierarchy in the internal.fabrikam.com forest.
Figure 26-2. A network deployment with two forests: internal.fabrikam.com and extranet.fabrikam.com
For this example, assume that the CA hierarchy shown in Figure 26-3 is the CA hierarchy deployed in the internal.fabrikam.com forest.
Figure 26-3. The ...