I've already read the great articles by Neil Peterson and Kent Agerlund on managing SCCM 2012 clients in an untrusted forest.

However, I can't find any information at all on how management will differ if there is a trust between the forests.

Obviously if this is assuming that there is no SCCM primary or secondary sites on the trusted forest and that all of the SCCM infrastructure is in one forest alone.

So, how will administration differ if at all? Are there any advantages to having the two way trust between the forests if there is no requirement for primary or secondary sites on the other forest?

The behavior is very similar to an untrusted forest. The biggest advantage is, the one that you don't care about, the deployment of another site.

For more information, see also: https://technet.microsoft.com/en-us/library/gg712701.aspx?f=255&MSPPError=-2147217396#Plan_Com_X_Forest

Hi Peter,

Thank you for the reply. I was hoping to get more in depth details of the differences between the two.

Like, if there is a trust, I take it there's no need to change the client approval mechanism as all clients are in trusted directories?

I know that without a trust it will require clients to either be approved manually or for the approval mechanism to be changed to something less secure for example.

I'm sorry for the low-depth answer, but I can't answer a generic question with lots of details as I don't know what you need to know. To answer you specific question, yes the default client approval setting is sufficient for trusted forests.

Deep down, as I said on the original post, the issue is that there appears to be quite a few documents on managing an untrusted forest, but nothing about how having a trust will affect it differently, or even why one be better off (or not) having a trust (or not). I'm just after some clarification on what will be different if there is a trust in place, if there are any advantages to having a trust, how the configuration will differ (if it differs at all).

Of course this is all assuming that there are no roles at all on the other side of the trust and that all of the SCCM infrastructure in on a single forest.

Without trust you can only do device based deployments and with trusts in place, you can also do user based deployments.

Is that with trust *and* a site on the other forest or just a trust will do?

Consider the scenario (untrusted) when you have forest A (with the ConfigMgr) server and forest B. Now you can configure the device-based deployments for forest B clients as long as you've got the DNS working correctly from the forest A (from the ConfigMgr site server to be specific) and then the clients in forest B know where to find the ConfigMgr server (again, DNS issue). For the client deployment, you can specify client push account that has the correct permissions (administrative) on the clients in forest B.

Now when you place trusts between forests, you can also deploy software targeted to your users. This is because the user that comes from TRUSTED forest B, can now authenticate to the forest A (ConfigMgr server).