Am I doing my 10.5 server AD/OD integration right?

I have read the AD/OD white paper, but obviously this was done for 10.4, so not sure how much I should stick to it. What Im trying to do is this: We have a Win 2003 domain, all users and groups in AD. Just setup a 10.5 server, want to manage AD groups and users in 10.5, and the mac clients to login using AD credentials but still get a managed environment, SSO to our windows services such as network shares, but also SSO if possible to AFP shares, ichat server, and the built in wiki. What I have done so far is to install 10.5 server, setup as a standalone. Then I used dir util to bind to our AD. Then I made the server an OD Master. Next on a client I bound it to both the new OD master and our AD. Then installed the server utils and used workgroup manager to create a OD group, and placed an AD user in that group. Now this seems to kind of work. I can login on the client using my AD credentials, and I get managed preffs from OD. Trouble is some services seem v flakey. For example, webservices is enabled, with wiki/blog enabled for the default site and I managed to create a blog using my ad account on a client, and edit teh blog fin. when somebody else tried it, it found their account in AD and opened teh basic blog page, but when they went to edit and it asked for their creditials, it failed. (yes Ive done all the tips on working these services with AD such as send password in clear text, but enable SSL) Do you know where im going wrong? could anybody give me a basic few lines run though? such as: 1: bind server to AD 2: make server od master 3: bind a clinet to od and ad 4: install admin tools, create an od group, add an ad user/group 5: do x to get sso working The 10.5 server documentation is a bit confusing and contradictory. One page it says to bind to ad and create it into an OD, and a few pages on, it says do not bing teh same server to ad while it is an od master! it makes no sense! Thanks