If I have 3 domains and they all have a 2 way trust established. 2 of the domains need to use the CA in the 3rd domain. Do i need to install sub-CAs or similar in the two domains that are to use the 3rd domain's CA?

if all domains are the part of the same forest, you can use a single CA for all domains in the forest. Otherwise you can do: 1) setup at least 1 CA in each forest 2) use cross-forest enrollment: http://technet.microsoft.com/en-us/library/ff955842(WS.10).aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

When you say part of the same forest do you mean child domain?

I mean forest. Any AD domain is a member of a forest. Single forest may contains multiple domains. Windows CA is forest-wide resource and is automatically available for any domain in the particular forest.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

We will be using 3 domains in 3 different forests, so I think the cross-forest enrollment is the way to go. thanks for the advice.

We will be using 3 domains in 3 different forests, so I think the cross-forest enrollment is the way to go. thanks for the advice. exactly.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki