Gotcha, I'm pointing to the root (dc=domain,dc=com).

#1 Make sure its *enabled*? I actually have it set to 0, so it STOPPED reading cached entries when I cut over to AD. Shouldn't that actually take care of #2/#3?

#2/#3 I can try that.