Just a heads up really. I ran into a slight issue when trying to configure Lion Server as a home dir for my windows users. I eventually sorted this out (which is another thread). Whilst trying to resolve this issue though I came across something that I think is slightly different in Lion Server than 10.6.
The order in which you list the directory bindings does seem to have an effect on things, most importantly the kerberos realm. While the OD server was listed first, the REALM being used was the ODSERVER.REALM.COM rather than the AD's REALM.COM. When running the kinit command the server had no cached credentials for AD users (had no OD users to test). When changing the order to AD first, the server then cached the credentials as expected for AD users but also used the AD REALM.COM. It seems that depending on which server is in the list first, directly impacts which kerberos realm is going to be used. It can change on the fly too without any reboots/terminal commands.
I remember with previous versions to 10.7 it was always suggested that you disable kerberos. When setting up integration in the correct steps it does this for you. But because lion uses a different version of kerberos it does not need to be done now.
Yes, you are right. Lion uses Heimdal as opposed to the MIT kerberos. However, the point I probably managed to hide in my post is that lion server will kerberise depending on the Directory Services list order. Take for example, the OD REALM is OD.EXAMPLE.COM and the AD is EXAMPLE.COM.
If the AD is first in the list then the realm used would be EXAMPLE.COM. But if the OD server was first in the list the realm used would be OD.EXAMPLE.COM.
Try it and see if you get the same results. Switch the list order around and then run the kinit AD username and see the results. If the OD server is first the cache would be empty and the realm would be the OD one.