Currently the default value of restrict anonymous is 0 even on Samba AD DC. It allows a user to list the domain users from a client without authentication using the following command and it is detected as a security issue by network security tools:
rpcclient -U "" server_ip
It should be changed to restrict anonymous = 2, at when running in DC mode.
I agree, we should do this on the Samba AD DC.