Our production IPA servers are currently at ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64. (Planning is underway to migrate to new RHEL 9.3 servers.) We have a 1-way trust established with AD. All active users are in AD with the POSIX attributes defined. Overall, this has worked well. However, lately we have been seeing more incidents where IPA periodically marks the domains in the AD forest as Disabled, and then accounts cannot get resolved. Not all AD groups have gidNumber defined, but those groups that are used in the IPA environment do. I have noticed that some users in these POSIX AD groups do not have the POSIX attributes. I have a couple broader questions I've never really been entirely certain about and would like clarification if possible.

1. Is IPA "OK" with some AD groups not having gidNumber defined? It's my understanding that IPA will just ignore these groups, but I just wanted to confirm that. I ask because I see in the IPA logs, it is continually complaining about some AD groups that happen to not have a gidNumber, and I thought IPA would just ignore these.

2. If an AD group does have gidNumber defined, how well will IPA handle any group members without POSIX attributes? Will IPA just ignore these users, or will it be a more serious problem?

3. What's the best way to determine why IPA marks an AD domain as "Disabled"? We see this frequently happen. Often it will shortly afterward flip back to "Active", but sometimes that takes much longer. Obviously, if they are disabled too long, then AD accounts cannot be resolved if they are no longer in the SSSD cache.

4. Does "Domain resolution order" need to contain all the domains in the AD forest, or only those domains with actual user accounts? I ask because I see IPA trying all the discovered domains and I know for a fact that those users/groups are not in those domains.

Thanks,

Amos