You must join each View Connection Server host to an Active Directory domain. The host must not be a domain controller.
Active Directory also manages the Horizon Agent machines, including single-user machines and RDS hosts, and the users and groups in your Horizon 7 deployment. You can entitle users and groups to remote desktops and applications, and you can select users and groups to be administrators in View Administrator.
You can place Horizon Agent machines, View Composer servers, and users and groups, in the following Active Directory domains:
The View Connection Server domain
A different domain that has a two-way trust relationship with the View Connection Server domain
A domain in a different forest than the View Connection Server domain that is trusted by the View Connection Server domain in a one-way external or realm trust relationship
A domain in a different forest than the View Connection Server domain that is trusted by the View Connection Server domain in a one-way or two-way transitive forest trust relationship
Users are authenticated using Active Directory against the View Connection Server domain and any additional user domains with which a trust agreement exists.
If your users and groups are in one-way trusted domains, you must provide secondary credentials for the administrator users in View Administrator. Administrators must have secondary credentials to give them access to the one-way trusted domains. A one-way trusted domain can be an external domain or a domain in a transitive forest trust.
Secondary credentials are required only for View Administrator sessions, not for end users' desktop or application sessions. Only administrator users require secondary credentials.
You can provide secondary credentials by using the vdmadmin -T command.
You configure secondary credentials for individual administrator users.
For a forest trust, you can configure secondary credentials for the forest root domain. View Connection Server can then enumerate the child domains in the forest trust.
For details, see "Providing Secondary Credentials for Administrators Using the -T Option" in the View Administration document.
Because security servers do not access any authentication repositories, including Active Directory, they do not need to reside in an Active Directory domain.