Please correct me if I understood you wrong…I think I’m not 100% sure what you mean.
What’s your DC Server? Did you mean AD?
If you cannot connect to your prod. server, make sure that it is configured to allow LDAP requests…it looks to me your problem is not caused by openfire but by the way your AD server handles requests (or blocks), especially if you say your test-server works btu the other one not.
If your totally lost, try wireshark to take a look at what exactly is happening between your servers…this helped me, I got some helpful error descriptions that way
You may use cn=Administrator as long as the cn Administrator has full rights to read the whole tree you need.
If your OU SF-Account is in your Root you’ll have to use:
as your selfmade OU is indeed an OU not a CN !