All versions of Centrify DirectControl ZPA
It is noticed that in a 1-way trust where resource domain trust accounts domain, ZPA (Zone Provisioning agent) allows groups to be added from accounts domain into a zone in resource domain. The Console shows the groups to be zone-enabled however secondary groups are not resolving across 1-way forest. Commands like adquery group or lsgroup (AIX) fail to work for secondary groups. Is there any reason?
This is a known limitation of ZPA and will be addressed in future releases of the product. There is a known Microsoft limitation. In a 1-way trust, its not possible to add groups from accounts domain. Without ZPA (ie. manually adding groups into zones), you will not be able to even browse to the resource domain.