This is always a sticky topic and I’m not exactly an expert on the subject yet either.
Basically if you need seperate security using different forests or domains but the users need single sign on, you should create trusts between one domain/forest and the other. This will allow users from one or both domains to access each other’s resources (one way or two way).
Ideally, if it’s all under one company/entity, administrators should not be quick to create new domains or forests unless absolutely necessary. A best practice is simply to use OUs and Deny rights as required.
Another method that I’ve not yet tried is the active directory migration tool. It supposedly can migrate passwords using the following: http://technet2.microsoft.com/WindowsServer/f/?en/library/804a418a-e8d4-473d-8517-264c87293fd21033.mspx
There’s a host of third party tools as well that can keep passwords in sync. Most are used for migrations but I would imagine they’d work fine in an ongoing situation but it’s not ideal. Trusts seem like a much better idea, IMO.