When a user that existed prior to DSfW provisioning logs on, they don't receive GPOs from the DSfW domain. Eventlog shows EventID 1053:

"Windows cannot determine the user or computer name. (The remote procedure call failed and did not execute.) Group Policy processing aborted.

However, if you log in with an account created AFTER DSfW provisioning that was in the same container as the previous account, things work fine.

A child domain installed in this 'forest' also works fine. (I'm not sure which words to use when describing this new eDir/AD hybird...)

Would a manual run of the samify DSfW step resolve this? The forest users can log in, but their login is quite slow, and the /var/log/messages file seems to also indicate that winbindd is too slow - lots of "Error [87] in LDAP search while trying to fill passwd struture : filter=uid=domain\user,base=o=novell

Rough diagram of our 'forest'

o=Novell (dsfw forest) - has the GPO issue
ou=America,o=Novell (dsfw child domain) - no GPO issue
Both were installed with OES2SP2.