Samba – Managing UID/GID of dual Samba / Winbind to AD

I have two Linux servers connected to an Active Directory Windows 2008 server using Samba/Winbind, and here is my samba config

    workgroup = COMPANY
    realm = COMPANY.COM
    server string = SAMBA-AD Server
    security = ADS
    password server = 10.1.x.x
    log level = 2
    log file = /var/log/samba/log.%m
    max log size = 50
    unix extensions = No
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template homedir = /home/%u
    template shell = /bin/bash
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nss info = rfc2307

Both are configured exactly alike, however, when I run getent group, the GIDs listed are different for both, even though the ranges are exactly the same, from 10000-20000.

On Linux server A:

domain computers:*:10011:

On Linux server B:

domain computers:*:10008:

It doesn't appear to start from 10000.

How can I synchronize the GIDs to be exact on both the Linux servers? Any help greatly appreciated!

EDIT: @larsks, I tried adding idmap_rid and this is the newest config:

    workgroup = COMPANY
    realm = COMPANY.COM
    server string = SAMBA-AD Server
    security = ADS
    password server = 10.1.xx.xx
    log file = /var/log/samba/log.%m
    max log size = 50
    unix extensions = No
    idmap config COMPANY:backend = rid
    idmap config COMPANY:base_rid = 1000
    idmap config COMPANY:range = 10000 - 20000
    template homedir = /home/%u
    template shell = /bin/bash
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nss info = rfc2307
    hosts allow = 127., 192.168.12., 192.168.13., 10.1.11., 10.2.,
    wide links = Yes

I removed the idmap gid = 10000-20000.

Do I need to remove the winbind enum groups = Yes ?

however, the GID remains the same even when I restart winbind / samba, after the idmap_rid additions..