Botched AD directory migration – can get KRBTGT but no further tickets for other servers etc…

Last night, and against my better judgement, I migrated a 10.5.6 server from one AD domain to another. The original domain was corp.domain, the new one, bosapparel.net. The migration was going well, or so I thought. I'd unbound from the directory, demoted to a standalone server, run changeip to switch the fqdn, re-bound to the new domain, enabled SSO and then promoted to an OD master. Then I noticed that Kerberos wasn't running, so I unbound, restarted, rebound, and poof, it was running - all was good. I proceeded to test and found that single sign on wasn't working on the clients that I was test binding to the new AD domain, and OD server. I suspected that old entries from the old corp.domain server iteration of the server shouldn't exist in the DSCL - so I foolishly did all of this: You must be 'root' to do this: slapconfig -destroyldapserver rm -rf /private/var/db/krb5kdc mkdir -m 700 /private/var/db/krb5kdc rm -rf /etc/krb5.keytab rm -rf /Library/Preferences/edu.mit.kerberos rm -rf /Library/Preferences/com.apple.AppleFileServer.plist dscl >cd /Local/Default/Config >delete Kerberos:SERVER.DOMAIN.TLD >quit Then run all on one line (may be wrapped here): slapconfig -createldapmasterandadmin diradmin "Directory Administrator" 1000 dc=server,dc=domain,dc=tld SERVER.DOMAIN.TLD Where 'SERVER.DOMAIN.TLD' is the FQDN of the server. Which ensured that my server would no longer get Kerberos up and running. I restored those few files from Time Machine, but have a number of log entries that don't seem to jive, and client machines that though bound, aren't able to take advantage of SSO. From KDC: Aug 26 08:19:22 mawsmacfp1.bosapparel.net krb5kdc[101](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.30.241.10: UNKNOWN_SERVER: authtime 1251289162, atlasdir@MAWSMACFP1.BOSAPPAREL.NET for krbtgt/BOSAPPAREL.NET@MAWSMACFP1.BOSAPPAREL.NET, Server not found in Kerberos database From Slapconfig.log WARNING: no policy specified for fcsvr/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for pcast/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for vnc/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for cifs/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for ldap/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for xgrid/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for vpn/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for ipp/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for xmpp/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for XMPP/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for host/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for smtp/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for nfs/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for http/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for HTTP/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for pop/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for imap/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for ftp/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy WARNING: no policy specified for afpserver/mawsmacfp1.bosapparel.net@MAWSMACFP1.BOSAPPAREL.NET; defaulting to no policy From Single Sign on tools log Kerberos configuration is up to date Kerberos configuration is up to date Kerberos configuration not updated, cannot contact all nodes on search path Kerberos configuration not updated, cannot contact all nodes on search path Kerberos configuration not updated, cannot contact all nodes on search path The result of all this mess, is that I am given a ticket for the bosapparel.net domain, but that TGT doesn't actually get me any more tickets. It's odd. I'm clueless here - my specialty is not directory services, and it's certainly not domain migrations. Help?!