diff --git a/infra/scenarios/ipa-ad-trust.yml b/infra/scenarios/ipa-ad-trust.yml
new file mode 100644
index 000000000..6e05313e0
--- /dev/null
+++ b/infra/scenarios/ipa-ad-trust.yml
@@ -0,0 +1,54 @@
+# IPA trust to Samba AD DC.
+#
+# Steps to set trust on 'server':
+#   # kinit admin <<< SomeADMINpassword
+#   # ipa dnsforwardzone-add ad.ipa.test. --forwarder=192.168.13.250
+#   # ipa trust-add ad.ipa.test --type ad --range-type ipa-ad-trust --two-way true --admin=Administrator --password <<< Secret123
+#
+# Create samba user on 'addc':
+#   # samba-tool user create jdoe --given-name John --surname Doe
+#
+# Checking user on IPA server:
+#
+#  # getent passwd jdoe@AD.IPA.TEST
+#  # kinit jdoe@AD.IPA.TEST
+#
+---
+lab_name: ipa-ad-trust
+subnet: "192.168.13.0/24"
+extra_data:
+  - playbooks
+external:
+  hosts:
+  - name: addc
+    hostname: dc.ad.ipa.test
+    role: addc
+    ip_address: 192.168.13.250
+    options:
+      forwarder: 192.168.13.100
+ipa_deployments:
+  - name: ipa
+    domain: linux.ipa.test
+    admin_password: SomeADMINpassword
+    dm_password: SomeDMpassword
+    cluster:
+      servers:
+        - name: server
+          capabilities: ["DNS", "AD", "KRA"]
+          ip_address: 192.168.13.100
+          vars:
+            ipaserver_netbios_name: IPA
+            ipaserver_idstart: 60000
+            ipaserver_idmax: 62000
+            ipaserver_rid_base: 63000
+            ipaserver_secondary_rid_base: 70000
+            # trust test vars
+            winserver_domain: ad.ipa.test
+            winserver_admin_password: Secret123
+            winserver_ip: 192.168.13.250
+            # external users vars
+            test_ad_user: 'jdoe@DC'
+            test_alt_user: 'jdoe@ad.ipa.test'
+      clients:
+        - name: cli01
+          dns: server
diff --git a/infra/scenarios/requirements.txt b/infra/scenarios/requirements.txt
new file mode 100644
index 000000000..2b38e799a
--- /dev/null
+++ b/infra/scenarios/requirements.txt
@@ -0,0 +1,2 @@
+ipalab-config>=0.10.2
+podman-compose>=1.2.0
diff --git a/tests/group/test_group_client_context.yml b/tests/group/test_group_client_context.yml
index 1328f6e88..a7a4bef7e 100644
--- a/tests/group/test_group_client_context.yml
+++ b/tests/group/test_group_client_context.yml
@@ -23,7 +23,7 @@
       ipaadmin_password: SomeADMINpassword
       ipaapi_context: client
       name: ThisShouldNotWork
-      external_member: "{{ ad_user }}"
+      external_member: "SomeUser@AD"
       external: true
     register: result
     failed_when: not (result.failed and result.msg == "Cannot use externalmember in client context.")
diff --git a/tests/idrange/test_idrange.yml b/tests/idrange/test_idrange.yml
index db1e945eb..da2d2b235 100644
--- a/tests/idrange/test_idrange.yml
+++ b/tests/idrange/test_idrange.yml
@@ -8,30 +8,18 @@
   - name: Retrieve FreeIPA facts
     ansible.builtin.include_tasks: ../env_freeipa_facts.yml
 
-  # CLEANUP TEST ITEMS
-  - name: Remove test trust.
-    ansible.builtin.include_tasks: ../tasks_remove_trust.yml
-    when: trust_test_is_supported | default(false)
-
-  - name: Ensure testing idranges are absent
-    ipaidrange:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      name:
-        - "{{ adserver.realm }}_id_range"
-        - local_id_range
-        - ad_id_range
-        - ad_posix_id_range
-      continue: yes
-      state: absent
-
-  # CREATE TEST ITEMS
-
-  # TESTS
-
   # Test local idrange, only if ipa-adtrust-install was not executed.
   - name: Test local idrange
     block:
+      - name: Ensure testing idranges are absent
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name:
+            - local_id_range
+          continue: yes
+          state: absent
+
       - name: Ensure idrange with minimal attributes is present
         ipaidrange:
           ipaadmin_password: SomeADMINpassword
@@ -118,6 +106,23 @@
   - name: Execute idrange tests if trust test environment is supported
     when: trust_test_is_supported | default(false)
     block:
+      # CLEANUP TEST ITEMS
+      - name: Remove test trust.
+        ansible.builtin.include_tasks: ../tasks_remove_trust.yml
+        when: trust_test_is_supported | default(false)
+
+      - name: Ensure testing idranges are absent
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name:
+            - "{{ adserver.realm | default(omit) }}_id_range"
+            - local_id_range
+            - ad_id_range
+            - ad_posix_id_range
+          continue: yes
+          state: absent
+
       # Create trust with range_type: ipa-ad-trust
       - name: Create trust with range_type 'ipa-ad-trust'
         ansible.builtin.include_tasks: ../tasks_set_trust.yml