"Security identifier could not be resolved" with a one-way trust in Windows 2012 R2

Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Essentials

Symptoms


Consider the following scenario:
  • Remote Desktop Connection Broker (RDCB) and Remote Desktop Virtualization Host (RDVH) are in Domain A.
  • Remote Desktop users are in DomainB\RD_USER_GROUP. 
  • RD_USER_GROUP is a “Security Group - Universal" group.
  • Domain A and Domain B are in different forests.
  • Domain A one-way trusts Domain B.
When you try to add DomainB\RD_USER_GROUP directly to the VDI collection in Domain A, you receive the following error message:

The security identifier could not be resolved. Ensure that a two-way trust exists for the domain of selected users.

Cause


A two-way trust is required in this scenario.

Resolution


To resolve this issue, change the one-way trust to a two-way trust.