On Thu, 2012-07-12 at 12:03 +0200, steve wrote: > The id numbers are NOT being take from AD, they are being taken from idmap. Do you have: idmap_ldb:use rfc2307 = yes set on both DCs? Thanks, -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org