Server 2012 VDI collection require two-way trust when adding user group of external domain

Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Essentials


Consider the following scenario:

1.       RDCB and RDVH are in DomainA

2.       RD users are in DomainB\RD_USER_GROUP, RD_USER_GROUP is a “Security Group - Universal"

3.       DomainA and DomainB are in different forests

4.       DomainA one-way trusts DomainB

When you tried to add DomainB\RD_USER_GROUP directly to VDI collection in DomainA, we got an error “The security identifier could not be resolved. Ensure that a two-way trust exists for the domain of selected users” 


Two-way trust is required for this scenario to work


Change one-way trust to two-way trust