We have a domain with users and computers (domain A). This domain has a forest trust with our email provider (domain B). When an account is created on our domain (domain A) it is sync'd to domain B every two hours using Identity Lifecycle Manager (ILM).
The user account in domain b has the same details but is in a disabled state. This object has a mailbox provisioned to it and at that point a user in domain A can open outlook and see their emails. All authentication is done at domain A.
This all works fine, the problem comes when a 3rd domain is mixed in. So a user in domain c logs onto their machine and opens outlook, they need to enter domain A's credentials. This means they are managing two passwords which is not ideal, account lockouts are rampant.
How can I solve this issue? I could establish a trust but I don't think it would achieve anything. Please note, our normal solution is to migrate users into domain A but this is not possible for this particular domain.
Any thoughts? Let me know if more information is required.