Allow relay of Active Directory discovery and publishing
Give the option to allow for the discovery/publishing of Active Directory data to be relayed through a designated site system on a per domain/forest basis. Maybe create a new role, i.e. "Active Directory Services Point", that can be set on site systems and designate them for specific AD domains/forests. This would greatly relieve permissions and firewall rules when managing clients across multiple (and sometimes untrusted) forests.