When a workstation or server attempts to authenticate a user on another domain, does the workstation or server contact the other domain's DC directly to authenticate after contacting the local domain DC? Or does the local domain DC do the authentication request on behalf of the workstation?
Example:
I currently have two domains.
Domain hosted.contoso.com and office.contoso.com.
All users are created in the office.contoso.com domain, so a user [email protected] wants to login to a machine host1.hosted.contoso.com. Does host1.hosted.contoso.com need to have visibility to domain-control.office.contoso.com directly?
The user Smith is authenticated on domain office.contoso.com. This domain is in trust with hosted.contoso.com and provides the user Smith with a ticket for the host1.hosted.contoso.com.
In other words: The user is authenticated in its own domain (the other domain can't verfiy). So when the user connects to a foreign domain, the DC creates a valid ticket for the other domain (if trusted domains). So in your example, host1 doesn't need to see dc.office, but dc.office needs a connection to dc.hosted.
Also have a look at http://blogs.msdn.com/anthonw/archive/2006/08/02/686041.aspx