On 06/22/2016 01:20 PM, Rowland penny wrote: > Happy to correct you :-D > > If you are using RFC2307 attributes, you need this line on a DC, it is > *only* used on a DC. Right... Thanks! And then perhaps we also need to set the idmap ranges on the DCs? I thought they were only for the domain member servers... MJ