how does the connection happen between AD and the RDS server?

Trying to better understand the connection between Active Directory and the RDS server.  We have a VM that runs our terminal (RDS) server and another VM for DHCP/DNS/AD of course.  When I add a user to the domain it adds it in AD as a member of the domain users group.  I then have to add the user to the Remote Operators group and VPN users group if this user needs to connect remotely.  My question is:  Where and how does the connection happen on the server running AD when I add the group of Remote Operators and VPN users to the user?  I know that the RDS server role is setup for this but how does adding a user to the group TALK or connect to the RDS server?  Sorry if I'm not asking this correctly.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joe FulginitiNetwork EngineerCommented:
When you configure your RDS server, you define groups that are allowed to connect to a RDS session. When a user attempts to connect to the RDS server, the RDS server asks AD if the user is in the authorized group and if the Username and password is correct.  AD sends the response to the RDS server and then the RDS server allows the connection.

For the VPN Group, do your users need to first connect to a VPN before they can connect to the RDS server? if so, that would explain why the users would need to be added to two groups.
There are multiple threads here
When you logon through rd web, Rd web directly ask DC to authenticate through IIS api
When u trying to connect to rdsh through remote apps, the connection get forwarded to rd connection broker which in turn authenticate user with Ad again, this process can be seamless to user
After that u can connect to rdsession host
If you are trying to access rdsh from internet, rd gateway come in picture, in that case it 1st authenticate user with AD, then pass connection to rd connection broker, it again need authentication and do it via AD, again process can be seamless to user if sso is implemented
In short, before u connect to rd session host server, you must connect to rd connection broker and also authenticate with Ad via him, connection broker is key here

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mkramer777Author Commented:
Joe.  Where on the RDS server can I find the groups that are defined to allow a user to connect to a RDS session?
what you are doing essentially is to add a group in "remote desktop users" local group on each server through common console so that group members can connect to RDS server
The question you asked in such manner that you need to understand RDS work flow which I believe I have tried to explain
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.