sssd personnel, In RHEL7, sssd was auto-discovering AD domains that trusted this domain, but that this domain did not trust. i.e., it was over-discovering AD domains. For a large company, you'll have one or more prod AD domain. That all trust each other. Then you'll likely have an engineering and possibly a test AD domain. These engineering and test domains would trust the prod domain(s), but the prod domain(s) wouldn't trust these engineering/test domains (nor should they). So if sssd were AD-integrated to one of the prod domains, it should auto-discover the prod domains only. It's true that buried deep in AD's data structures, there is a trust relationship with the test domain and the engineering domain. But it's a trust going the wrong way. Sumit fixed this for RHEL7, it seems the fix was first pushed out in sssd-1.16.5-10.el7_9.11. RHEL7 seems to still be fixed as of today. At least on RHEL8 and RHEL9, it seems to have reverted. There is a work-around. in /etc/sssd/sssd.conf file, you can add: [domain/prod1.company.com] .... ad_enabled_domains = prod1.company.com, prod2.company.com, prod3.company.com So while all these extraneous auto-discovered AD domains still show in 'sssctl domain-list', they no longer cause problems. Spike