[SSSD-users] sssd.conf sections only work if they reflect existing AD domain, why?

Hello, I'm trying to define two sssd groups in order to assign a different login shell to AD users belonging to two different AD groups in our domain FOOBAR.GLOBAL. However, all users are unable to login and get an error "Authentication failed". If I change a sssd section to [domain/FOOBAR.GLOBAL] so to reflect the existing AD domain, users defined in that sssd group are able to login. However, clearly in this way I cannot define more than one section. Why is that? How to define sssd sections with names different than the existing AD domain? Thanks in advance. Below is my sssd.conf. [sssd] domains = FOOBAR_ADMINS.GLOBAL,FOOBAR_NOLOGIN.GLOBAL config_file_version = 2 services = nss, pam [domain/FOOBAR_NOLOGIN.GLOBAL] ldap_user_search_filter = (memberOf=CN=Simple Users,OU=Security Groups,DC=FOOBAR,DC=GLOBAL) default_shell = /bin/sh ad_server = ad01.foobar.global ad_domain = FOOBAR.GLOBAL krb5_realm = FOOBAR.GLOBAL realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = Simple Users(a)FOOBAR.GLOBAL [domain/FOOBAR_ADMINS.GLOBAL] ldap_user_search_filter = (memberOf=CN=Administrators,OU=Security Groups,DC=FOOBAR,DC=GLOBAL) default_shell = /bin/bash ad_server = ad01.foobar.global ad_domain = FOOBAR.GLOBAL krb5_realm = FOOBAR.GLOBAL realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = Administrators(a)FOOBAR.GLOBAL