I am build a new CA environment, it is going to be an enterprise CA setup in a domain that has a Forest Root and 4 Child Domains. The security folks want the Root CA to be a member of the forest root and the Subordinate CAs to be members of one of the Child domains. All the domains are separated by firewalls. I have looked and I can't seem to find a complete list of ports required to be open to allow this to happen. Does anyone know what these ports are and also if this is not a good design can someone point me to some reasoning why so I can take it back to security and see if they can be members in the same domain.