AD Integration: 1 Forest containing 2 Domains - Run Accounts/Profiles (SCOM 2012)

I know there are plenty of threads on AD integration & Run As accounts\Profiles, but none quite answering my scenario...so here goes.

1 Forest containing 2 domains -abc.com and def.com.
abc.comcontains SCOM 2012 infrastructure (Mgmt Servers (MS1, MS2), Ops DB, Reporting DWDB).

abc.com
1. Created SCOM Admins Global Security group

2. Created SCOM_MS_Action domain user account (used during SCOM setup & also Local Admin on all abc.com machines via Action Account AD group/GPO)

3. Ran MomADAdmin.exe DEV-OPSMGR12 "abc\SCOM Admins" abc\SCOM_MS_Action abc.com
(SCOM_MS_Actionadded to SCOM Admins group as a result)

4. Created Auto Agent Assignrule for abc.comagainst MS1 for "servers", Run As Profile left asdefault setting.

RESULT: All servers in abc.compopulated MS_PrimarySG_xxxgroup as expected.

def.com
5. Created SCOM Admins Global Security group

6. Created SCOM_AD_Assign domain user account 

7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
(SCOM_AD_Assign added toSCOM Admins group as a result)

8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
Do I need to create this?

9. Set "def\SCOM_AD_Assign"Run As account to "More Secure"
Is"More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?

10. Created Run As Profile "def AD Agent Discovery" & assigned toDefault Management Pack
Do I need to create a new Run As Profile?
Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign
rule? I was under the impression never to use the Default MP?

11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery" Run As Profile, targetting "All Objects"
Is this correct?

12. Created Auto Agent Assignrule for def.comagainst MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."

RESULT: def.com contains OperationsManagement\DEV-OPSMGR12container but no MS_PrimarySG_xxxgroup exists?

Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group, Object?

Thanks in advance - I find these Run As accounts very confusing when it comes to multiple domains!