We have an odd Trusts configuration where a trusting forest is unable to enumerate users from a trusted domain. It looks like this:
- Forest "F" has a domain called tossed.salad.com
- tossed.salad.com trusts Forest "A", Forest "B", and Forest "C" where A, B and C have created a one-way transitive Forest Level trust to tossed.salad.com, where tossed.salad.com trusts A,B,and C but A, B, and C don't trust tossed.salad.com
- Tossed.salad.com is adding users to an application share and is able to add users from Forests B and C, which works fine and as expected
- Forest A has 3 trees in it. The Root is a domain named cabbage.veggie.com which has the one-way transitive Forest trust to tossed.salad.com.
- the other trees, lettuce.veggie.com and cucumber.veggie.com both have Tree-Root transitive trusts to cabbage.veggie.com
- Tossed.salad.com is unable to enumerate users from lettuce.veggie.com to add them to the application share.
My understanding of Tree-Root trusts is that they are treated just like parent-child trust where all parties trust one another so in theory, tossed.salad.com should be able to see user accounts from lettuce.veggie.com.
Why can't tossed.salad.com not see user accounts from lettuce.veggie.com?