Cross-domain, single forest
As a general rule, the VAS client will only use "Unix enabled" security groups that reside in the same domain as the VAS client, or in the default account domain for the VAS client.
Each Unix host running VAS builds a persistent cache of user and group information. By default, the cache is built from users and groups in the same domain to which the Unix host is joined. It is possible to change the searchbase from which the users or groups are loaded from by using the group-search-path and user-search-path options. These search paths can either restrict the location from which the users and groups are loaded, or you can specify a searchbase in an entirely different domain. This is useful in organizations that use Resource Domains, where computer objects are stored in a separate domain from the domains where users and
groups are located.
You can specify a group or user search path using the -g or -u options to the vastool join command. For example, the following command joins the Unix host to the computers.example.com domain, and loads users from the base of the sub.example.com domain:
# /opt/quest/bin/vastool -u admin join -u DC=sub,DC=example,DC=com computers.example.com
You can change the default user or group searchbase at any time by adding the group-search-path and user-search-path options to /etc/opt/quest/vas/vas.conf; in the [vasd] section, and running vastool flush. See the vas.conf man page for an example.
Make sure that AD trust is working between the domains. See Microsoft for further details on this.