NEED GUIDANCE FOR CROSS-FOREST SUPPORT CONFIGURATION IN SCCM

Hello Friends,

I need guidance & advice for implementing different cross-forest support in existing SCCM. Below is the scenario:

We have Forest-A with a SCCM server which acts as Primary Site server with MP,WSUS roles installed on it. We also have 30 DP’s in Forest-A which provide services to 500+ servers.
My client has recently acquired 2 new organizations lets name them as Forest-B & Forest-C. Each of these forests have multiple domains & child-domains.
My client wants to manage all servers( almost 2000+ windows servers) of Forest-B & C via SCCM of Forest-A.
They have established only one-way AD trust between Forest-A & Forest-B where we are now able to search objects of Forest-B under Forest-A DC’s.
They don’t want to establish any AD trust between Forest-A & Forest-C.

My client has the below requirements:
1>They don’t want to extend AD schema in Forest-B & Forest-C related to SCCM’s attributes & classes.
2>They want to manage all servers of Forest-B & C via SCCM of Forest-A.
3>They want to setup new DP server in each Forest-B & C so that those client machines can get the software updates policies from Forest-A SCCM MP and content from new DP server.
4>They also want to have SCCM console access for the technician’s from Forest-B & C so that they can install SCCM client on their servers, create SUG & push patching deployments for their servers from Forest-A SCCM console without needing our intervention.

I have done following steps:
1>Created conditional forwarders in DNS of Forest-B & Forest-C for Forest-A and vice versa.
2>As AD Schema extension is not allowed in Forest-B & C by my client, hence I have created SRV (Service Location) records in DNS of Forest-B & C which points to MP related information of my Forest-A SCCM server.
3>Created “System Management” container in Forest-B and delegated Full Control permission for a new service account of Forest-B. My Forest-A SCCM related info got published in DC of Forest-B. I haven’t done this step yet in Forest-C as there is no AD trust for this forest.
4>Configure AD Forest Discovery in my SCCM for Forest-B & it was successful. I can see the status as success in SCCM console but still my SCCM server is not able to pull AD site’s & subnets related information of Forest-B.
5>Configured AD System Discovery in my SCCM for Forest-B & I am able to see all objects of Forest-B under “Devices” node of Forest-A SCCM console.
6>Tried manual installation on a test server of Forest-B but it was not able to communicate with my Forest-A SCCM MP and not able to download client installation content. Tried telnet port 80 from test server to Forest-A MP but it was not getting connected. Hence I am checking with network team of both forests.
7>If above steps are correct then I will follow the same steps on Forest-C.

I need guidance & suggestion for below points:
1>Can I manage all clients of Forest-B from existing MP of Forest-A SCCM ?? or Do I need to build new MP in Forest-B to manage those clients ??
2>How to configure & setup new DP in Forest-B as I can’t add my existing SCCM computer account of Forest-A under “Administrator” group on Forest-B as there is only 1-way AD trust between them.
3>How to delegate rights for Forest-B technicians on my SCCM(of Forest-A) console so that they can manage only their devices. Does it need to have new MP under Forest-B to achieve this requirement ?
4>If I get solution for above step then I need help to limit access rights for Forest-B technicians so that they can manage only their collections, create SUG & do patching deployments on their collections only. They should not able to see other devices collection to avoid any misuse.

Kindly help me with proper guidance & solutions so that I can manage all devices of Forest-B & C from my existing SCCM (of Forest-A).

Thank You