If your installation has implemented automatic direction and you want to define multiple realms, you should review your current RRSF implementation in view of these important considerations:

1. The KERB segment of the RACF® user profile defines a user as a local principal. If KERB segment information is directed to a remote RRSF node, users will be defined as local principals on all z/OS Network Authentication Service servers that share that RACF database.
2. RACF does not distinguish between user passwords and passwords assigned to local principals for key generation. The same is true for password phrases. If user passwords and password phrases are synchronized with a remote RRSF node, keys will be generated for those users on the remote node and they will be recognized as local principals by all z/OS Network Authentication Service servers that share that RACF database.
3. REALM class profiles define information about local and foreign realms. If these profiles are propagated to a remote RRSF node, all z/OS Network Authentication Service servers that share that RACF database will have duplicate local and foreign realm definitions.
4. KERBLINK class profiles map foreign principals to local RACF user IDs, and control which users are authorized to use the SKRBKDC started procedure to decrypt service tickets for a given principal. If KERBLINK profiles are propagated to a remote RRSF node, all z/OS Network Authentication Service servers sharing that RACF database will attempt to map those foreign principals to the same RACF user IDs, and allow the users authorized by the KERBLINK profiles to use SKRBKDC to decrypt service tickets for the given principal.