A new KB article (2877933) was released (FAST PUBLISH type) regarding the RD Connection Broker being in a separate domain as the RD Virtualuzation Hosts. In that case the domain trust must be two-way
“…Consider the following scenario:
- RDCB and RDVH are in DomainA
- RD users are in DomainB\RD_USER_GROUP, RD_USER_GROUP is a “Security Group - Universal"
- DomainA and DomainB are in different forests
- DomainA one-way trusts DomainB
When you tried to add DomainB\RD_USER_GROUP directly to VDI collection in DomainA, we got an error “The security identifier could not be resolved. Ensure that a two-way trust exists for the domain of selected user.
Two-way trust is required for this scenario to work
Change one-way trust to two-way trust…”