We are merging with another company have two forests forest1 (2k8 native) and forest2 (2k8 DCs but still 2k3 native because 1x2k3 DC). There is a two way forest trust between the two forests. Forest1 is a single domain-forest and hosts the merging company's users whereas forest2 has a root and child domain, with our users being hosted in the child domain.
Now the crux of our problem is Citrix/XenApp, but the question is pure Windows so bear with me... We have a XenApp environment to provide virtual desktop and application services and we want to be able to allow users in forest1 to use these for some of our LOB apps. Some of the Xen servers live in our root domain whereas others are in our child domain. What we've run into is the XenApp servers in our child domain can't "see" the forest1 domain.
Citrix's response is that we should create an additional 2 way external trust between the forest1 domain and the child domain - they have a paper addressing this exact scenario. I am aware that a forest trust is transitive and supports kerberos authentication whereas the old external "NT" style trust is doman to domain only, is non-transitive and only supports NTLM authentication.
With that out of the way, my question is are there any perils to adding the additional external trust between the forest1 domain and my child domain while maintaining the forest trust? Does it introduce any precedence issues where authentication is concerned? Is is just plain NOT SUPPORTED?
John K Landes