Symptoms

After adding a second domain, it looks like we can assign tasks through the workspace to people in that domain using worklists -> redirect. It also appears that when we assign the destination user through the workflow, they do have that slot (I can see their name in the destination list when viewing worklist items for that instance. But, it doesn't appear that the other domain user is getting the email.
 

Diagnoses

In troubleshooting this, we first decided to see if users were being properly resolved by K2. In order to test this, we used the UMUser "GetUserDetails" method.

We fired this against a user in the second domain, and saw that no properties were returned for this user. We then checked the identity.identity table, and saw that the user in question was "disabled" in the identity cache. We then referred to the ADUM error log in order to obtain further details.

We then used the ADS tester tool, as well as ldapadministrator to verify that we could connect to LDAP on :389

After enabling full logging for the AD User manager, we found a debug message referencing an error communicating with the second domain over RPC.
 

Resolution

Once we had enabled logging and verified the issue, we opened ports needed for RPC, TCP/UDP 135 as well as 1024-65535. Note, the "randomly allocated high ports" can be controlled by changing a setting in RPC, so that a smaller range may be opened.