In order for this to work you have to specify the trusts for each domain, as required:
- Select the domain in Manager, then under "Tasks" select "Specify trust relationships". Then choose the domains.
Then when you assign groups to users you can select from trusted domains.
You can see where this is coming from in the condition for the group assignment (when "Show field definition" is enabled):
((isnull(IsApplicationGroup, 0) = 0) and (
UID_ADSContainer in (
select UID_ADSContainer from ADSContainer
whereIdent_Domain = N'mydomain'
or Ident_Domain in
where Ident_DomainTrusted = N'mydomain')
Please note: it may also be necessary to inlcude a value for "Also look for group members in following domains" in the sync configuration.