OU "groups" not show in RSAT
October 21, 2021, 05:32:36 pm

I have a Zentyal 7.0 instance with Samba AD. It is working correctly as far as I know. There is an OU called "Groups", which seems to be created by default. I have created a few groups there and have used them in the fileserver to assign permissions to folders without issues.

Now I wanted to move those groups to another OU using RSAT in a Windows hosts, but RSAT does now show that "Groups" OU.

I know I can use samba-tool to move the groups to another OU, but why that "Groups" is not shown in RSAT?  Other OUs are shown correctly.

I have two domain controllers using Zentyal 7, dc01 and dc02. dc01 has all the FSMO roles and was the first installed with a new domain. Then added dc02 and everything seems to be working fine. I have unidirectional sysvol replication using lrsync from dc01 to dc02 and all admin consoles are set up to connect to dc01 to edit GPO, users/groups, etc.

Now I was thinking about implementing bidirectional replication, but checking the official Samba docs (, I read "Make sure, that you have identical IDs of built-in groups on all DCs". That means creating a copy of /usr/local/samba/private/idmap.ldb and place it in the additional DCs.

My problem is that /usr/local/samba/private/idmap.ldb is NOT identical in both DC's. The one in dc01 has 69 entries and that in dc02 has 82. I can't figure out why dc02 has more entries than dc01, given that the latter is the FSMO roles owner and has always been.

Should I copy /usr/local/samba/private/idmap.ldb from dc01 to dc02?
What is that file used for in Zentyal?
Does Zentyal create that copy of /usr/local/samba/private/idmap.ldb when adding itself as an additional controller?

Thanks in advance.

