Thanks, that is good to know.

Instead of DNS discovery I went ahead and hard coded the local AD server
(ldap_uri/krb5_server). The server SSSD was using by default was the
primary AD located across a VPN and it was introducing a few second
delay in authentication due to the latency of the connection.
I had the same problem and instead of had-coding our local AD server (which is ugly) I used dns_discovery_domain in form of:
<your site name>._sites.<ad realm>
This way you ensure sssd is always using local AD controller to your site.

Ondrej