Cross forest trust issues with Winlogon from Win7 via 2008 resource DC in Forest B to 2003 DC in Forest A

ISSUE: Group Policy processing isn't working when using cross forest authentication, works fine with local accounts in Forest B.

Implementing a new system in a segregated network with it's own single domain Forest B with 2 DCs.
Windows 7 clients and Windows 2008 R2 DCs and application servers.
Loopback replace is defined so that all GP have to be defined in Forest B.

One way cross forest trust: Forest B with computer resources trust in Forest A with user accounts.

Forest A is a multidomain environment based on Windows 2003 (30 DCs in the root, 80 DCs in subdomain A1 and 40 DCs in subdomain A2, there are other subdomains but they are not involved in the solution).

Using conditional DNS forwarder cross the forests.

We have managed to activate the one way trust between all 2 DC in Forest B with 30 root DCs in Forest A, all top DC have full ip connectivity on all ports for the transitive design.

Forest A with AD functional level 2003 and Forest B with AD functional level 2008.

Logon and GP processing works perfect on the Windows 7 client when using an user account in the Forest B.

The symptoms is that when using an user account in subdomain A1 or A2 in Forest A to logon to the Windows 7 client (in the segregated network with forest B) is that we see error messages in the Pre-Authentication phase.

Windows 7 is by default using AES and my expectations were that the negotiation would have solved this via the AS_REQ / AS_REP negotiations.

.

Today can I see in the gpevent log that the winlogon process tries 4 times to retrieve user account information but fails.

I have spent several days searching but without finding the right perfect workaround (have found many threads about DES but our corporate system uses RC4 in Forest A).

The gpevents records below is when we manage to logon to the Windows 7 client using cross forest trust but the Forest B GP processing isn't working with the Loopback replace mode as expected.
The response time are rather short 0-1 seconds so I do expect that the DC in the local Forest B is responding but why isn't the GP executed as with the local user account?

### Login with Domain-A1 account

2012-12-06 09:56:37.993 4001 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Starting user logon Policy processing for Domain-A1\user-je.                                                                   Activity id: {14A33E7D-06A2-4C03-85A8-C4D061B42E54}
2012-12-06 09:56:37.993 5320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Attempting to retrieve the account information.
2012-12-06 09:56:37.993 4017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Making system call to get account information.                                                                  
2012-12-06 09:56:37.993 7017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The system call to get account information completed.                                                                                                                                    
The call failed after 0 milliseconds.
2012-12-06 09:56:37.993 5320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Retrying to retrieve account information.
2012-12-06 09:56:38.508 4017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Making system call to get account information.                                                                  
2012-12-06 09:56:38.508 7017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The system call to get account information completed. 
The call failed after 0 milliseconds.
2012-12-06 09:56:38.508 5320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Retrying to retrieve account information.
2012-12-06 09:56:39.023 4017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Making system call to get account information.                                                                  
2012-12-06 09:56:39.023 7017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The system call to get account information completed.  The call failed after 0 milliseconds.
2012-12-06 09:56:39.023 5320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Retrying to retrieve account information.
2012-12-06 09:56:39.538 4017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Making system call to get account information.                                                                  
2012-12-06 09:56:39.538 7017 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The system call to get account information completed.  
The call failed after 0 milliseconds.
2012-12-06 09:56:39.538 7320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Error: Retrieved account information. Error code 0x54B.
2012-12-06 09:56:39.538 7320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Error: Failed to register for connectivity notification. Error code 0x4CE.
2012-12-06 09:56:39.538 7001 14a33e7d-06a2-4c03-85a8-c4d061b42e54 User logon policy processing failed for Domain-A1\user-je in 1 seconds.
2012-12-06 09:56:39.538 5315 00000000-0000-0000-0000-000000000000 Next policy processing for EMEA\kbrh967 will be attempted in 95 minutes.
2012-12-06 09:56:39.538 7320 14a33e7d-06a2-4c03-85a8-c4d061b42e54 Error: Failed to register for connectivity notification. Error code 0x4CE.
2012-12-06 09:56:39.538 1053 14a33e7d-06a2-4c03-85a8-c4d061b42e54 The processing of Group Policy failed. Windows could not resolve the user name.
         This could be caused by one of more of the following:
                                                                        a) Name Resolution failure on the current domain controller.
                                                                        b) Active Directory Replication Latency (an account created on another domain controller has not replicated to t

The plan is to disable Allow Cross-Forest User Policy and Roaming User Profiles and see how it works

 Anyone recognizing the symptoms or have recommendation to share.

/Stefan