How to determine domain controller used for authentication
Solution 1:
To answer your second question first:
Since you're still using NTLM, reading about the flow of NTLM in a multi-domain environment might help you out a bit with this. IIS will contact a Domain Controller (DC) in its domain, which will in turn contact a DC in the trusted domain.
The trusting DC does a DNS lookup against the trusted domain's name and sends LDAP and NetBIOS requests to all the DCs returned by that query. The first one that responds "wins". That's likely why you're seeing some non-determinism in this process. You could influence this process by monkeying with DNS.
Locating the authenticating DC is going to be a matter of either capturing the authentication traffic, or watching the Security Event Log of all the DCs where the authentication could be occurring.