msSFU30MaxUidNumber is not multi-master update-safe
See Andrew Bartlett's mailing list post.
See this post where Rowland suggested using these attributes to store the maximum value in LDAP. (These are not automatically calculated, your script would need to keep them updated.)
- msSFU30MaxUidNumber
- msSFU30MaxGidNumber
Just be aware that these are not multi-master update safe to update.
If your domain can get out of sync, just be aware that if your tool is pointed at an 'older' DC, it could allocate the same UID twice.
Solution
The way Active Directory handles these sorts of issues is to downgrade to single-master, through use of FSMO Roles.
I noted this here:
Perhaps one mitigating method would be to always target the DC with the PDC emulator FSMO role.
The Better Posix AD Wiki page says:
For counter based allocation, the allocation of the uid/gid should be deferred to the PDC FSMS [sic] role holder (or similar).