My three favorites are:
Cross-forest certificate autoenrollmentMakes it possible to share a CA server between multiple forests, will work for XP/2003 clients and later OS's.
HTTP certificate enrollmentThis is effectively a reverse-proxy enrollment feature via HTTP, can also be configured to only allow renewals via HTTP while maintaining the old enrollment behaviour internally.This is however a Windows 7-client only feature.
AD Recycle BinGone are the days of panic authoritative restores because someone just deleted your main OU, with W2k8 R2 comes the ability to undo that change before the objects are permanently deleted.
Changes to existing components:V3 certificate templates for Standard EditionYou won't need the Enterprise Edition to be able to edit your certificate templates anymore, you will however need it for Cross-forest enrollment still.
...more to come.
Active Directory Certificate Services Overview [lists the differences between the SKU's for ADCS]http://technet.microsoft.com/en-us/library/cc755071.aspx
PingBack from http://www.windowsaffinity.com/?p=1952
I am currently working on implementing cross-forest CA, and am having some permissions errors when enrolling. Unfortunately, I haven't found any good information on how to effectively troubleshoot the issue.
If you're looking for information about pre-W2k8 R2 and cross-forest CA implementations, try
For W2k8R2 and Win7, try
A generic search on
http://www.bing.com/search?q=cross-forest+enrollment&src=IE-SearchBox&FORM=IE8SRC also has some good links.