10.6 OD, DNS checks out OK but Kerberos has stopped

Hi I have an OS X.6 server on which I'm running Open Directory. In Server Admin, under Overview, Kerberos is showing as stopped. I can see the Kerberize button, but it doesn't seem to accept the credentials I'm feeding it. In the Configuration log I see: 2011-08-28 00:00:16 +0100 - slapconfig -kerberize 2011-08-28 00:00:16 +0100 - Error: Incorrect username or password. You must enter a directory domain administrator username and password. The Kerberos server log includes these two entries: Aug 24 17:27:45 odmaster.gp.lan krb5kdc[45](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.17.28.2: ISSUE: authtime 1314203265, etypes {rep=18 tkt=16 ses=18}, odmaster.gp.lan$@ODMASTER.GP.LAN for krbtgt/ODMASTER.GP.LAN@ODMASTER.GP.LAN Aug 24 17:27:52 odmaster.gp.lan krb5kdc[45](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.17.28.2: NEEDED_PREAUTH: odmaster.gp.lan$@ODMASTER.GP.LAN for krbtgt/ODMASTER.GP.LAN@ODMASTER.GP.LAN, Additional pre-authentication required In WorkGroup Manager, I can't authenticate as diradmin when I try and connect, but after authenticating with the server admin account I can unlock the directory with the diradmin credentials. changeip -checkhostname checks out OK. host gives me the expected result whether I feed it the IP or the FQDN. If I demote to a standalone server and promte back to an OD Master, everything seems to be in working order. Then I import the archive I did before demotion and then Kerberos stops again. Same result If I reinstall the OS from scratch. I guess, then, that something that ends up in the archive is tripping me up. Any idea how to troubleshoot/figure out which bit? Or, is there a way to export Users and Groups with passwords intact in a way that I can re-import them after the Standalone-Master shuffle?