AD Cross-forest authentication - groups missing from PAC

I have an Active Directory setup consisting of 2 forests:

• 1 multi-domain forest with 1 forest root domain, and 2 direct child domains
• 1 single-domain forest for DMZ publishing purposes

I have created 3 outgoing trusts in the DMZ domain, 1 transitive forest trust against the forest root domain, and 2 External Non-transitive trusts (aka. Shortcut Trusts).

All DC's in all four domains are Global Catalog servers.

I've tried to visualize it below:

Now, here is the problem. When I grant access on a resource in dmzRoot.tld to a security group in the childA domain, it works for users in childA who are member of the Security group, but not for users in the childB domain, even though they are members of the security group in childA.

Let's say I want to give local administrator access to a member server in the dmzRoot.tld for example. I add childA.ForestRoot.tld\dmzAdministrators to the local builtin Administrators group on the member server.

childA.ForestRoot.tld\dmzAdministrators has the following members:

• childA\dmzAdmin
• childB\superUser

Now, if I authenticate as childA\dmzAdmin, I can log on to the member server as a local Administrator, and if I take a look at the output from whoami /groups, the childA.ForestRoot.tld\dmzAdministrators group is clearly listed.

If I authenticate as childB\superUser however, I get a message that the account is not authorized for remote logon. If I check whoami /groups for the childB\superUser account, the childA.ForestRoot.tld\dmzAdministrators group is NOT listed.

It almost seems like the childA group SID's never get included in the PAC when authenticating childB users, even though all DC's are GC's.

I disabled PAC validation on the machine in dmzRoot.tld that I tested it on, but this did not help.

Any suggestions as to how I troubleshoot this effectively? How do I follow the trail of authentication to determine where it fails?