I had a useful phone call with Hawk Ridge (our value added reseller) about how EPDM logins will work with/without trusted domains. Hawk Ridge said that they do not have any clients who use EPDM over a WAN with multiple domains without trust.
In theory all the EPDM functionality (versioning, check-in/out, etc.) should work without trust, but the Admin account in the US will not be able to add users from the non-trusted domain. The Admin account on the China archive server will be the way to control local users there. The users will show up in both Admin tools, but the untrusted domain users will show up with a red plus next to their name.
From the EPDM Documentation "The archive server that hosts the vault archive manages user authentication. If the correct credentials for an active vault user account are not found on the archive server, the user account is listed in the Administration tool with a red plus symbol. Such users may not be able to log in to the vault until the issue is resolved. You can still manage vault permissions for the user account."
The big downside to not having trusted domains is for users who travel between the locations. If a US person goes to China they will not be able to authenticate to the EPDM archive server there. They would have to VPN to the US to use EPDM. Similarly, if an employee from the China office travels to the US office and tries to use EPDM, they will not have credentials to login to the local archive server.
It seems like we will be able to test functionality, but we will want trusted domains eventually.
We have yet to verify this info, but does it agree with anyone else's experience?
In theory EPDM login would work too. We already went to a lot of effort to get everything running on Active Directory so it would be a bit of a step back to change now. We also have a bunch of users and active projects, so we don't want to impact them at all.