I think Martin's question was more about those services being enabled in
systemd by themselves. The answer is 'no', because ipa.service takes
care of that based on the state of services we keep in LDAP.

Unfortunately, all init systems to date only care about a single host's
status. In IPA case we have multinode environment where different
services may be activated on the nodes depending on what was enabled.
You can have base IPA (dirsrv, KDC, httpd) running on majority of
masters but then some of them would be also running CAs and potentially
they can run Samba services for AD integration. The status of these
services is recorded in LDAP because this is what we have as a
replicated store that all IPA masters know about. This information is
needed for more uses than just init system on a specific host, though.

For production operation, what Martin B. has said is the recommended
way.

It the future, native systemd approach is likely to be used:

https://fedorahosted.org/freeipa/ticket/4552

At the same time, we will likely explore the possibility of running
various pieces on different machines (or in different containers).

If you are interested in exploring those areas and helping us develop
them, we'll be happy to hear about your findings.

For starting and stopping all neccessarry parts this is OK. But if I
have enabled some of these services directly in systemd (lets say
memcached or the ldap server) does that make problems during startup or
shutdown.

May be it is just a coincidence, but I had several warnings (up to
thousands) in the past from the LDAP Server at a simple restart of the
server:

DSRetroclPlugin - delete_changerecord: could not delete change record
553423 (rc: 32): 1 Time(s)

An I have not found any reason for this. Therefore the question: can
this be due to a false shutdown or startup sequence by systemd?

Last time I run "ipactl stop" before restarting the server and had no
such warnings. As I said may be its just a coincidence.

I run ipa on a up to date fedora 23 server.

Regards
Martin