I have been told some contradictory things about this.

Here is the background:

A new install of zen65 in a windows 2003 server only enviroment. All
desktops are xp. The AD domain had a complex ou setup, several layers
deep. This is a school district, and there are ou's for each school
site, and then student and staff ou's and others. All of them have

We intend to configure idm2 to "mirror" the AD ou setup.

One novell engineer told us that the mid-tier can/should be configured
with all the contexts in which to find users, and that then the agent
should be able to login "in the background" using passthrough ... ie,
the users will never see the zen login and they will not *god fobid*
have to know the context in which their user lives.

However, at this point, despite using NSAdmin to configure the midtier
context, users still get the login prompt, and must put in the entire
context to successfully login .... where can I begin to look to trouble
shoot this?

First, is it true, yes or no, that this should even work the way we
hope? And then, secondly:

*Help!* As school is about to start, and we have to get this working!