www.sharepointmythbuster.com

One big draw back of the way AD implements LDAP is the lack of support for querying on Organisaitonal Units. No matter what you try, you will hit a brick wall when trying something like OU=SharePoint or OU:SharePoint in a simple query. Even trying to access the value as a property of an AD object will fail as OUs are not stored as properties on objects but only form part of the hierarchy and not part of the metadata.
So the only place where you can enter an OU is when you are selecting the datasource, before applying any filters. Which means only one single OU, right?

The common work-around to this is to set up Groups for each OU and assign the users to the groups, as these can be filtered on. :-) You can be sure as hell that the network admin will declare you a sandwich short of a picknic and will want to know who will be maintaining both OUs and groups only because SharePoint is being iffy.
There is a much simpler solution. Contrary to many beliefs you can import users from multiple OUs by specifying them in separate datasources.
"But what about using the same domain? Won't that cause errors?" You might ask. Not necessarily...
The domain you enter in the first box when setting up the profile import has no effect on the process once you decide to not query the whole domain but to specify your own source in the form of OU=CorpUsers, DC=domain, DC=com. Thus enter whatever value you like there. A good one would be a name which identifies the datasource such as Corpusers.domain.com and Extranetusers.domain.com or similar. Just make sure that the entry for "domain", which is nothing more than the title of the data source, is unique.