Have a new 2012R2 Root forest domain (Forest A) which has DirectAccess configured for Windows 7 (Certificate) clients.
We also have another 2003 level forest (Forest B) which hosts user accounts and servers. Geographically both forests are in the same location so no Multisite deployment in place.
I want to issue laptops joined to Forest A to staff that have a user account in Forest B.
All works fine in the office, however when connecting remotely via DirectAccess the Forest B users can only ping servers in either Forest A or Forest B
If I then log into the same client laptop with a user account from Forest A then I can access resources in both Forests?
My understanding of DirectAccess was that as long as I have entries in the NPRT for the Forests then authentication would work as in the office - i.e. across the two-way trust? and that DirectAccess security was around client configuration NOT user account configuration.
Do I need to make any further DirectAccess configuration changes to allow users in Forest B to be able access any resources on the corporate network?
Have come across the following: http://technet.microsoft.com/en-us/library/jj591657.aspx#AccessForest2 which deals with accessing resources in a second forest and it is how I currently have it setup - and forest A users CAN access resources in either forest while users from Forest B on forest A joined clients CAN'T access resources in either forest.