Using System.DirectoryServices.AccountManagement with Novell Domain Services for Windows

We have an application that is built around Active Directory for it's authentication, and are trying to implement at a client that uses Novell eDirectory (or NetIQ now, I guess.) They have installed a feature call Domain Services for Windows which, according to it's white paper, should simulate Active Directory authentication and LDAP queries that are actually backed by their eDirectory. However, I can't quite get this to work.

Here is a snippet of PowerShell code that I extracted from our C# code base that replicates what we are trying to do:

$domain = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, "dsfw.domain.local", "DC=domain,DC=local")
$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($domain, "Administrator")
$user.GetAuthorizationGroups()

On a true Active Directory system, I don't need to specify the server name or LDAP container path, but trying to do that on this server that's "joined" to the DSfW domain does not work. If I specify those parameters as shown, I can at least get as far as finding the appropriate user, but any variation of trying to get the user's groups returns a couple of groups, then terminates early with an error 0x8000005c. I have tried GetAuthorizationGroups, GetGroups, and even using a DirectorySearcher, all do the same thing:

$user.GetAuthorizationGroups() | Format-Table IsSecurityGroup,DisplayName,SamAccountName

IsSecurityGroup DisplayName                      SamAccountName
--------------- -----------                      --------------
           True GLOBAL\Everyone                  Everyone
           True NT AUTHORITY\Authenticated Users Authenticated Users
An error occurred while enumerating through a collection: Unknown error (0x8000500c).

I have gotten far enough to figure out that the error results from some kind of failure to translate native types to DS types, but I can't figure out which type(s) is the problem or where it's being loaded from. More importantly, I can't figure out how to get around the problem. All I really care about are the group's SamAccountName, so if I could somehow tell LDAP to ignore everything else, I feel like that would work, but I can't figure out how.

Does anyone have any experience with DSfW that can point me in the right direction?