Hi,
In organizations with large numbers of users, it is prudent to deploy an offline standalone root CA and then use enterprise subordinate CAs for the certificate deployment and management.
Normally speaking,the auto enrollment configuration is not based on active directory topology.
A user from site A can receive automatically a certificate from CA in site B, if he has auto enrollment permission on a certificate template in CA on site B .
If you want deny the user from site A to receive certificate from CA in Site B , you have to deny auto enrollment permission in all template in CA in site B.
AD DS site awareness can be used to help optimize certificate services client requests. This functionality is not enabled by default the certification authority (CA).
So if we have multiple CAs in various sites, the certificate template name in these CAs is the same and the same users or computers have the same permissions for theses certificate templates, the users or computers will select one CA depending on site costs if all CAs are avaiable, they will select a CA with low site costs.
To enable certificate services site awareness, the msPKI-Site-Name attribute must be populated for the certification authority (CA) object in the Enrollment Services container of Active Directory Domain Services (AD DS). The Enrollment Services container is in the Configuration container of AD DS under CN=Public Key Services, CN=Services,CN=Configuration,DC=<domainDistinguishedNamingContext>. For example, the following figure shows a CA named CPANDL-ECA1 has an msPKI-Site-Name attribute value of Main.
For more details , you can refer to the following link:
https://social.technet.microsoft.com/wiki/contents/articles/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx
Best Regards,