For about 2 years now at work, our "root" (aka, Administrator) account hasn't been showing up as being part of the "Domain Admins" group within Windows, or when running "id root" or "net rpc user info root". It used to, but for whatever unknown reason, stopped working.
The root account in our LDAP directory was, admittedly, messed up. However, it worked on our local server, who were talking with our PDC directly. It just didn't work on our remote BDC-connected systems.
Back around this time, I'm pretty sure we made a change to our enterprise-wise /etc/ldap.conf config: We added "root" to the nss_initgroups_ignoreusers list. The effect is that the local auth mechanisms only use the local files (passwd and group) for users in this list, skipping LDAP checks. Therefore root will never get the "Domain Admins" group membership in this configuration.
Now, the question is, is this normal, or am I missing something? I really don't care at this point. The workaround for me is to simply create an admin user that gets treated as THE admin account. The alternative is to remove root for the ignore list. However, I would suggest against this as it could create startup and login delays if the LDAP database doesn't start for any reason.
Hope this helped somebody. I struggled with it and searched for a solution long enough that I figure it merits a quick post.