I’ve had many Duo customers ask whether it is possible to just use the root domain of an Active Directory forest to synchronise all users including those that are in child domains in the same forest. This is indeed possible and will save customers time when syncing users from AD with Duo. To do this, you can use the global catalogue port instead of the standard LDAP/S ports of 389/3269.
One important thing to note here is that child domains must be part of the same forest in order for this to work. Child domains that are NOT part of the same forest will need to be added to Duo separately if you wish to sync users from those domains.
Duo have provided more information here.