In a test environment, I have two forests: abc.local and def.local.
I can ping computers by name from either forest.
There is a forest to forest trust created and working. The authentication is forest-wide, although I previously had it set to selective; no difference in the symptom below.
In each, I have one global security group called AbcUsersGlobal and DefUsersGlobal, respectively.
In def.local, I created a universal group called AbcDefUsersUniversal and added the DefUsersGlobal group to that.
I have two problems:
1. When I force replication, I cannot see the newly-created universal group in abc.local.
2. From the def.local machine, I tried to add abc.local's AbcUsersGlobal group to the AbcDefUsersUniversal group, and could not find the groups from the other domain. Says "The following object is not from a domain listed in the Select Locations dialog box." That's true, but I don't know how to point to a different domain.
I think I have to explicitly identify a domain in the other forest, but I don't know how to get this to work.