When you provision a DC with --use-rfc2307, samba-tool automatically adds the following entry to the generated smb.conf file:
idmap_ldb:use rfc2307 = yes
Recently, Björn Jacke updated the "Setting up RFC2307 in AD" Wiki page  and added:
> It is recommended not to use those mappings on the DCs. The
> default idmap ldb mechanism is fine for domain controllers
> and less error prone.
If it's not recommended to set this parameter on a DC, we should probably update samba-tool to not add it to the smb.conf automatically.
(In reply to Marc Muehlfeld from comment #0)
The question is what is the "--use-rfc2307" of samba-tool domain provision for?
--use-rfc2307 Use AD to store posix attributes (default = no)
is not very specific.
(In reply to Stefan Metzmacher from comment #1)
thanks for raising this question. I was wondering this from the first time I saw this parameter. Using rfc2307 is mainly a matter of having to maintain the attributes. It's not obvious what using this at provision time means, the documentation of that parameter should be more verbose.
I sent a patch to fix this to the list: https://lists.samba.org/archive/samba-technical/2017-December/124416.html but Andrew didn't like the change. As nobody else will comment or change the status of this bug report I'm gonna close this as wontfix. Anyone here is welcomme to jump in to the discussion on the mailing list though.
Andrew, if you do not like the proposed fix, please provide another one.