I had the same problem and instead of had-coding our local AD server (which is ugly) I used dns_discovery_domain in form of:Thanks, that is good to know. Instead of DNS discovery I went ahead and hard coded the local AD server (ldap_uri/krb5_server). The server SSSD was using by default was the primary AD located across a VPN and it was introducing a few second delay in authentication due to the latency of the connection.