If you have the option to allow trusted domains enabled, yes, this is normal & expected.

Another way that this could happen is if there is a referral on the response from the server. If this happens, the IVE/MAG will reach out to the servers/domains that are required by the referral from the DC.

Zanyterp,

Thanks for the reply.  I have it defined as an LDAP server instead of AD so the allow trusted domain option wasn't available.  I'll reach out to our server guy regarding the referral.

You are right, we narrowed down our group search filter yesterday to only search the container holding our group memberships and it's no longer reaching out to the child domains.

We've run across another issue though and I'm hoping you might be able to help; the SA sits in one environment, and we have a one-way trust relationship with another DC in a separate forest.  I'm able to authenticate users in the local domain on the appliance but not from the trusted domain.  According to JTAC, authentication with AD using cross-forest trust is not supported.

Is it possible to define a RADIUS server as auth, and still use LDAP as the authorization server to pull group memberships?  I'm a bit cloudy on how the group fetching wil work when using RADIUS, or if you have any other suggestions that would be great.

Yeah we found that out the hard way.  A JTAC rep suggested that cross-forst trust is possible using a two-way trust - have you ever tried that?  Just trying to wrap my head around why the appliance would care of the the trust was one vs two way.