I'll get to the question first. My server, which is part of a child domain is sending LDAP requests to the primary root domain/forest controllers. Why? I don't want this to happen.
Here is the setup
2 total domains
Root domain/forest = abc.com
Child domain = xyz.abc.com
DC in child domain = AD1.xyz.abc.com
Another server in the child domain has ad1.xyz.abc.com as the ONLY DNS and WINS server. Of course that server is part of xyz.abc.com domain. The firewall blocks all AD communication (DNS, WINS, LDAP, RPC, Kerberos, SAM/LSA, Netbios, NTP, etc.) EXCEPT traffic between primary and child domain DC's.
Logins to child domain with primary domain accounts is slow (but successful), most likely since LDAP-UDP commumications from server are purposefully blocked. Is it asking to much for my child DC to do ALL the authentication work? Why are my other servers even trying to contact the root domain? The reason I am doing this is for security but I don't know if it is a good or best practice.