diff --git a/roles/samba/templates/smb.conf.j2 b/roles/samba/templates/smb.conf.j2
index e3196b2..1f36d4c 100644
--- a/roles/samba/templates/smb.conf.j2
+++ b/roles/samba/templates/smb.conf.j2
@@ -3,10 +3,12 @@
   realm = {{ samba_realm | upper }}
   workgroup = {{ samba_domain | upper }}
   kerberos method = secrets and keytab
+{% if samba_role not in ['dc', 'rodc'] %}
   idmap config * : backend = tdb
   idmap config * : range = 10000-19999
   idmap config {{ samba_domain | upper }} : backend = sss
   idmap config {{ samba_domain | upper }} : range = 200000-2147483647
+{% endif %}
 {% for domain in samba_trusted_domains %}
   idmap config {{ domain.name | upper }} : backend = sss
 {% endfor %}