The best way to do this would to dump one of the PGP UN clusters and change the DNS for PGP Desktop to point the clients to the other PGP UN server. The users would have to re-enroll to add themselves to the new PGP UN. The new PGP UN could have both AD servers under director sync, that’s not an issue whilst you migrate to a forest.