I have a forest with two domains - D1 and D2; functional level is 2003. I built a new domain in a new forest - NewD; functional level is 2008. I need to be able to authenticate D1 users in NewD. DNS is set up with secondary zones for the other domain in each domain, and zone transfers are working. I made a two-way domain trust (NOT a forest trust) between the two domains, and it validated. My problem: I can authenticate in D1 with NewD users, but when I go to NewD, the D1 domain does not show up in the list of available domains, so I can't authenticate D1 users in the NewD domain.
Two questions: can I use stub zones instead of secondary zones in the DNS? and do I need to do a two-way FOREST trust for the authentication to work? Or maybe there is just some setting I am missing in my 2008 DCs that will allow the D1 domain to be seen. Any help is much appreciated.