I built ours 3 years ago, it works fine, we have the auto enrollment configured. My specific question is have you ever worked on cross forest enrollment using the web enrollment service. I think I'm going to have to go this way and I've not done it into an existing PKI before.
OK thanks, I don't use LDAP for the CRL or AIA and I'd rather be able to uncouple it easy in the future. I've found an MS article talking about it using 2012R2, so I'll try and build the design off that.
I have an MECM setup for HTTPS comms for clients. A second AD forest was previously managed by the same MECM, but since the switch to HTTPS, they've stopped communicating because they can't auto enroll the necessary certificate to authenticate to the management point. To get it working, I want to use the new certificate web enrollment service for auto silent enrollment, question I am asking is if anyone has done it and can offer guidance.