Thanks, that is good to know.
Instead of DNS discovery I went ahead and hard coded the local AD server (ldap_uri/krb5_server). The server SSSD was using by default was the primary AD located across a VPN and it was introducing a few second delay in authentication due to the latency of the connection.
I had the same problem and instead of had-coding our local AD server (which is ugly) I used dns_discovery_domain in form of: <your site name>._sites.<ad realm> This way you ensure sssd is always using local AD controller to your site.
Ondrej