I may be over-thinking this.
If source PI and destination PI are on separate domains and in different AD's, it seems to me that there will be a problem with the trust on the destination PI server. The destination PI server will need a trust, probably for the host/IP, the app, and the identity (or just use piadmins group for identity). Is this more of a network and domain administrator question or issue?
I am concerned about trying to use a PI Identity mapped to an AD group on the source domain and if that will be allowed on the destination domain and the destination PI server.