When you configure a domain to use Kerberos cross-realm authentication, you add properties for each Kerberos realm to the Kerberos configuration file. You also include the name of each realm when you run infasetup commands to enable Kerberos authentication in the domain and on domain nodes.
The Active Directory servers that the domain uses for Kerberos cross realm authentication must belong to the same Active Directory forest. An Active Directory forest is a group of Active Directory domains that share a common global catalog, directory schema, logical structure, and directory configuration. You connect to the global catalog to import users from the Active Directory servers into LDAP security domains.
To use Kerberos cross domain authentication, two-way trust must be enabled between the Active Directory servers in the forest.