Managing UID/GID of dual Samba / Winbind to AD

I have two Linux servers connected to an Active Directory Windows 2008 server using Samba/Winbind, and here is my samba config

    workgroup = COMPANY
    realm = COMPANY.COM
    server string = SAMBA-AD Server
    security = ADS
    password server = 10.1.x.x
    log level = 2
    log file = /var/log/samba/log.%m
    max log size = 50
    unix extensions = No
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template homedir = /home/%u
    template shell = /bin/bash
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nss info = rfc2307

Both are configured exactly alike, however, when I run getent group, the GIDs listed are different for both, even though the ranges are exactly the same, from 10000-20000.

On Linux server A:

domain computers:*:10011:

On Linux server B:

domain computers:*:10008:

It doesn't appear to start from 10000.

How can I synchronize the GIDs to be exact on both the Linux servers? Any help greatly appreciated!

EDIT: @larsks, I tried adding idmap_rid and this is the newest config:

    workgroup = COMPANY
    realm = COMPANY.COM
    server string = SAMBA-AD Server
    security = ADS
    password server = 10.1.xx.xx
    log file = /var/log/samba/log.%m
    max log size = 50
    unix extensions = No
    idmap config COMPANY:backend = rid
    idmap config COMPANY:base_rid = 1000
    idmap config COMPANY:range = 10000 - 20000
    template homedir = /home/%u
    template shell = /bin/bash
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nss info = rfc2307
    hosts allow = 127., 192.168.12., 192.168.13., 10.1.11., 10.2.,
    wide links = Yes

I removed the idmap gid = 10000-20000.

Do I need to remove the winbind enum groups = Yes ?

however, the GID remains the same even when I restart winbind / samba, after the idmap_rid additions..

Hi, I changed my samba config and can be seen above. Please let me know if I did something incorrect, the GID remains unchanged after a samba/winbind restart.

I suspect that Samba caches ids once they have been generated, so you'll probably have to clear the cache. I don't have a Samba installation in front of me right now so I can't tell you exactly where to look. See if you get the correct behavior for new groups before spending too much time trying to figure out how to clear the cache.

Hmm.. something went wrong. I type wbinfo -g, and it lists the groups but now getent group does not list the groups..

Not sure then. I don't have an active winbind environment at the moment, so I'm just working from the documentation. If I have some spare time I'll set one up, but it's not going to be today. Good luck!

I had some progress, I stopped winbind and samba, I deleted all the *.tdb and *.ldb files in the /var/lib/samba/ folder (leaving the sub-folders intact) and restarted the services. The tdb files came back and all the uid/gid's were reassigned new numbers! Now to test it across different servers to see if it matches.