* Like in the comments, don't add that on the IPA server's sssd.conf, only to the clients enrolled to the IPA domain.
* I cannot remember if it also drops the @domain for the groups as well. You'll have to test this for yourself and see.
yes, it applies to groups as well.
When you do this, you *may* have to put the AD domain as the "default_realm" in /etc/krb5.conf. If you do, just make sure that the "[domain_realm]" section has a line for that host to the IPA realm. At least that's what we've done, and things seem to work well for both the AD users and the hosts in the IPA realm.
Amos