I am hoping someone can shred some light on this because I'm either very close
or very far away from a DSfW solution.

Our organization is 100% eDirectory (OES2 servers) but we would like to be able
to use AD logins via DSfW for applications and network appliances that do not
support LDAP directly. So far, I have been able to install OES2sp3 on a new
server in the tree with DSfW in the name mapped method. It is installed in an
OU which is partitioned. The install completed with some issues- provisioning
failed on the samify and cleanup stages but the user accounts do have the new
attributes (samaccountname is the only one I checked and it did have a value).
I was able to join an XP workstation to the domain with the administrator
account and browse the user objects in the DSfW OU.

My issues are:

1) I can not login to the workstation with any existing user accounts in the
DSfW OU- even after I reset the password in iManager

2) I can not login with a new account I create in the DSfW OU

3) I can not add sibling OU's to the DSfW OU but I think this may be correct
since the other OU's are in separate partitions. Does that mean we would need
one DSfW server per partitioned OU?

Does any have any insight into items #1 and #2? I can provide
screenshots and any other logs but it seems like I have missed something "big".
As for #3, I really don't want to have to put up another group of servers just
so we can do AD logins but I need to know what is the proper way to handle
multiple partitions.

Also if anyone has ideas about how to just provide AD authentication I would
like to hear that too. DSfW seems to be a bit much for what we want. I've heard
that there might be a way to export -> import into a Samba4 server but I haven't
dug into that research yet.