AD flaky cross-domain group resolution

Here's the gist ... umontana.edu is the forest root. umt.edu is a forest domain gs.umt.edu is a child domain missoula.campus is a forest domain umt.edu contains all the departmental group management and faculty/staff users. gs.umt.edu was created to take care of a FQDN forward/reverse DNS lookup and is essentially a container for machine accounts. missoula.campus contains all the auto-created student accounts. There is no by-hand administration allowed in missoula.campus. In 10.4.x I could bind to umt.edu (legacy) or gs.umt.edu (though for some reason I had to use a domain admin for gs.umt.edu). While bound to gs.umt.ed or umt.edu I could authenticate as users in umt.edu or missoula.campus. Group resolution worked between both domains ... i.e. missoula.campus users that exist in umt.edu groups would resolve correctly and consistently. See examples below. In 10.5.3 and above (anything before just wouldn't work right at all) I *must* bind to the forest root (umontana.edu) to be able to authenticate both umt.edu and missoula.campus accounts. The issue however is that a missoula.campus user does not consistently resolve umt.edu group memberships. See examples below. Since my entire access control model is based on group memberships in umt.edu groups, this throws an enormous wrench in the works. In 10.4.11 bound to gs.umt.edu my missoula.campus user returns this after issuing an id ... Code display: [code]j010-peet:/Users/MacAdministrator pm823892e$ whoami pm823892e j010-peet:/Users/MacAdministrator pm823892e$ id uid=2087054781(pm823892e) gid=1162965876(MISSOULA\domain users) groups=1162965876(MISSOULA\domain users), 1721646871(UM\kaimin-staff), 589919297(UM\kaimin-everyone), 617388752(GS\peettestgroup), 386296534(UM\jour-wikis-acadmicit), 1819484444(GS\jour-everyoneprint), 580497234(UM\jour-students), 224635167(UM\jour-localadmin), 1533278465(UM\jour-web), 1440117765(UM\jour-everyone) j010-peet:/Users/MacAdministrator pm823892e$[/code] In 10.5.4 bound to umontana.edu my missoula.campus user returns this after issuing an id ... [code]bash-3.2$ whoami pm823892e bash-3.2$ id uid=2087054781(pm823892e) gid=1162965876(MISSOULA\domain users) groups=1162965876(MISSOULA\domain users), 1030(AcademicIT),1033(jourwww)[/code] Could anyone point me in the right direction to see why this is failing? It's more than a bit frustrating. I've got 5 servers built from the same base image and running the exact same updates. All bound in the same domain. At this moment 3 and 4 are resolving group memberships correctly. 1,2 and 5 are not. Two days ago after restarting and rebinding them all they all were resolving correctly. thanks.peet