"trusted domain object not found"

Googling around tends to always yield the same suggestions:

1) Check time sync

2) Check DNS

3) Check firewall

I have done all of this ad nauseam in several different environments with several different versions of FreeIPA and Windows servers.  I have gotten a setup to work maybe 2% of the time out of hundreds of attempts.

I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo).  I am trying to establish trust with a mixed Windows 2012 & 2008 forest. I have tried both one and two way trusts.  Everything seems to work fine up until I try to add AD users to FreeIPA.

I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any of the hosts, and the AD servers and FreeIPA servers are synchronized by the same NTP servers.

What could I possibly be missing?