I have a single forest and a 2 domains in it.
Remote sites have a mix of users from both domains.
All of my domain controller are global catalogs and trusts are set up.
Do I need to have domain controller for both domains on each remote site to authenticate users, or can a single global catalog server that is in one domain authenticate users in the other domain?
I'm trying to avoid WAN traffic if possible and avoid having multiple domain controllers at each site.
Best Answer
A DC in another domain, whether a GC or not, cannot authenticate users from another domain, whether trusted or not.
So no, you won't be able to have a single DC for domain "BOB" and be able to authenticate users from domain "MARY" via that GC DC. The DC in "BOB" will have to pass MARY\joe off to a DC in MARY domain for actual authentication. So if you don't want to traverse the WAN link back to a DC in MARY domain, you'll need 1 DC for BOB domain and 1 DC for MARY domain at each location.
But auth traffic for a user across a WAN is actually pretty miniscule overall. If your links aren't saturated or prone to going down you're likely just fine traversing the WAN.
More info: How Domain and Forest Trusts Work