IdM Clients in Trusted Domain

If I build an IdM server in a separate DNS domain, do the clients of that IdM server need to be in the same DNS domain as the IdM server or can they be in the Active Directory domain and point to the IdM server?

Here's the reason behind the question:

We have an AD domain (example.com) where we want to allow access for some AD accounts to our Linux servers. According to IdM best practice we should put our IdM server in it's own DNS domain (idm.example.com). If we have to put all our Linux servers in the idm.example.com domain, we might end up breaking applications. So, if it's possible, we'd like to keep our Linux servers in example.com and point the sssd client to the idm.example.com IdM server for authentication.