We are thinking about bringing up a CA within our organization for issuing certs to computers, and I have a question about Microsoft CA Service. We have a total of 7 AD forests in our organization and there are no trusts established among them. After reading through Microsoft whitepaper, it seems to me the best approch (for us) is setting up one offline standalone CA and one to two enterprise subordinate CA's for each forest in our environment. Can this work? Would I be able to publish the root CA's CDP and AIA and set up subordination to multiple AD forests? I was not able to find anything regarding how CA should be set up in a multi-forest AD environment. Please help.