We help IT Professionals succeed at work.

2016 RD Services in Parent/Child domain configuration

Grasp Technologies
Grasp Technologies used Ask the Experts™
Hello, I have a parent/child domain configuration. All of my RD Infrastructure machines (Gateway/Web cluster, Broker, Licenscing) live in the Parent.domain. All of my Session host servers, and users/groups are in the Child.parent.domain.

When I create my rule in the gateway, users in the child.parent.domain can only connect to their server if "Allow users to connect to any network resource" is selected in the RAP.

If I assign the specific computer group(located in the child.parent.dom) to the RAP the connection goes all the way through to "Loading Virtual Machine" and acts as if it will connect, then the last second fails out with the standard "User not Authorized" error...
RD Error

Users get this same experience if they go through RDWeb or straight RDP using the gateway.

I think the solution is similar to the issue in this post: https://social.technet.microsoft.com/Forums/en-US/b9111b86-6679-46df-92c6-d03b7dd0a186/rd-gateway-cap-and-child-domain?forum=winserverTS but since my setup is slightly reversed I can't seem to get the group organization across the child and parent domains correct.

Does anyone have any thoughts what I might be missing?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
CoralonSenior Citrix Engineer

Are the users members of the local 'Remote Desktop Users' group on the session hosts?

Distinguished Expert 2018
1st create one universal group in parent domain
Create global group in child domain and add your users to that group
Now add child domain global group to parent universal group
Set this universal group in RD CAP and RD RAP policy on RD gateway server
Also modify RDS collection properties and make above universal group to rds enabled, this will add universal group to "Remote Desktop users" local group on each RD session host
Then try


Thank you! That did it.