The environment consists of one main primary Domain-A and another acquired Domain-B (the domains are not in the same forest but do have a trust).
The main Domain-A has user accounts for all the users in the acquisition Domain-B (Same samaccount name).
The requirement is to be able to authenticate users from both domains, and to use rollout mode for users that do not have tokens yet. Also, need to automatically find a user in Domain-B if the user is not a member of Domain-A.
At this time, it is confirmed that 2 proxies cannot run on one DSS.
Create DSS's in both domains. In the main primary Domain-A create an Access Node for Domain-A authentication requests. Then create another proxy access nodes for password only (for rollout mode). Defender will not allow the use of a second proxy access node to forward Defender users not found in Domain-A to the other Domain-B. Defender will attempt to authenticate a user to one of the proxies, but not both.
This feature may be introduced in a future version of Defender.