Scenario: Domain Admin in one Domain with bidirectional trust to another target domain
When Trust is enabled, computer accounts domain1$ and domain2$ is created (trust account). Shared secret of both domains is these accounts password hashes. This can be dumped as DA in one domain (and can be used for the following steps instead of krbtgt if we can not get our hands on that one):
Despite enabling this, we would still get access denied because SIDs < 1000 are always filtered. In addition members of Global Security Groups will also be filtered. So we need to find a SID > 1000 with privileges that help us, (if its a group it must also not be a member of Global Security Groups).