If the remote domain does not trust the ER domain, the node cannot be deployed to a machine in the remote domain. This is due to the fact that the node service account has to authenticate to the ER server.
With trying to collect from a non-trusted domain there are 2 options:
If using one ER instance, the following ports need to be open:
When configuring the discovery, alternate credentials will need to be selected so that the discovery runs as an account that has read rights to the remote domain (and not as the node service account). Select "Use alternate credentials" on the first page of the discovery configuration and select an account that has read rights to the remote domain.
When you try to add the remote domain to the discovery Scope, if the domain does not appear in the Available Scopes window, right click Active Directory, select Add domain and enter the FQDN of the remote domain.
If you decide to install a separate ER instance in the remote domain, no additional ports need to be open between the first ER server and the remote domain. You will configure the discoveries the same as you did on the first ER server. The disadvantage to this approach is that you would have 2 separate ER instances to maintain with separate databases, discoveries and separate reporting.