We had similar issues when we deployed Identity director as part of VCF 4.2 this last year. For us, we ended up having to create an LDAP connector to each of our 2 domains. Thankfully, we only had 2 of them, so it wasn't a huge hardship. Additionally, we are only using VMWare Identity for our IT team to use with federation and NSX, so duplicating groups in each domain wasn't that much of an issue. Please reply if you find a better way to leverage the Universal groups. I had opened a ticket at the time, and was told that there wasn't really a better way to do it. Best of luck!