I don't think it is an issue with settings in AD. Server 2003 will automatically disable an account that is created with a blank password. This seems to fit with what you are seeing, since the account is immediately disabled in AD and the user is required to change their password. Is your SSL setup working? You can use ssltap (in /opt/fedora-ds/shared/bin if you used the installed defaults) to proxy the connections and see what is going (or not going) back and forth. Replication requires SSL in order to sync passwords, and unless it is set up correctly on both FDS and the DC with PassSync, you will not get any passwords, period. What do your logs in FDS say when you add a user? Are there any errors? If the logs are not very informative, use the console to increase the log level. Passwords are the trickiest part of this setup, simply because they require SSL/certificates and an extra app on the DC. The wiki has detailed instructions. If you need more help, posting error messages and log info would be very helpful.