On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote: > My other question is if there is a way to pin down a client to > [temporarily] use a specific IPA server
using the ipa_server directive in sssd.conf > and specific AD server (even if > it means a firewall rule that only allows the host to communicate with > one IPA and one AD host). the clients don't talk to ADs to resolve user information, only the servers do. The clients only talk to AD DCs for authentication (to make this a bit more complex, the authentication also involves parsing a Kerberos PAC blob by the authentication helper in SSSD which also includes the group memberships). And unfortunately until RHEL-7.4 and SSSD 1.15 are out, then pinning the SSSD on the IDM servers to a specific AD DC is only possible by modifying the DNS SRV records or creating an AD site for the IDM server. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project