RHEL IdM has an option to enable serving information about AD users and groups in the compatibility tree (RFC2307) when converting IdM master to AD trust controller. At the same time, AD trust controller can designate other IdM masters to be able to resolve information about AD users and groups by promoting them to AD trust agents.
However, there is no way to configure the compatibility tree on AD trust agents to serve information about AD users and groups. As result, if legacy clients are configured to use the compatibility tree on AD trust agents as opposed to AD trust controllers, information about AD users' group membership will be missing.
We should provide means to enable this functionality in the compatibility tree on AD trust agents independently from converting AD trust agent to AD trust controller.