pwpolicy -setpolicy isDisabled is not getting stored

Hi guys, I've an interesting issue here with an OD environment comprising 1 ODM and 4 ODR. Changes applied to the property isEnabled with WM or the CLI using pwpolicy setpolicy are not stored, even-though the action gets properly logged into ApplePasswordServer.Server.log as: [code]Apr 17 2008 15:14:30 SETPOLICY: {0x00000000000000000000000000000001, diradmin} set policies: isDisabled=1 isAdminUser=0 newPasswordRequired=0 usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=4294967295 hardExpireDateGMT=4294967295 maxMinutesOfNonUse=0 maxMinutesUntilChangePassword=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 for user: {0x4701117b2c6b3e790000012f0000083c, bobk}[/code] The account was created in the same OD and has an OD password. The issue is affecting 300+ accounts. New accounts are not affected. I had to clean up 4000+ sync.gz junk files that dated back from Jul '07 in the /var/db/authserv directory this hasn't improved matters. A couple more things I've found while digging around. Firstly: At WM's inspector, in config>Passwordserver>dsAttrTypeStandard: PasswordServerList I've found some worrying entries under the key [code]LastSyncFailedAttempt[/code] which date back from 2007-06-05. Does this mean that the authservermain and the KDC haven't been syncing since then? Is this related with the policy issue? Has the PWS authservermain DB gone corrupt? Secondly: I decided to reboot the ODM to see what would came up at the system.log and I did found the following DNS entries: [code]Apr 17 12:16:38 csmodm mDNSResponder: Update _kerberos._tcp.CSMODM.MYDOMAIN.COM. refused Apr 17 12:16:38 csmodm mDNSResponder: Registration of record _kerberos._tcp.CSMODM.MYDOMAIN.COM. type 33 failed with error -65553 Apr 17 12:16:38 csmodm mDNSResponder: Update _kerberos._udp.CSMODM.MYDOMAIN.COM. refused Apr 17 12:16:38 csmodm mDNSResponder: Registration of record _kerberos._udp.CSMODM.MYDOMAIN.COM. type 33 failed with error -65553 Apr 17 12:16:40 csmodm /usr/sbin/serialnumberd[238]: serialnumberd: Firewall rule #1 added to allow port 626. Apr 17 12:16:44 csmodm /usr/sbin/serveradmin: servermgr_ipfilter:ipfw config:Notice:Disabled firewall Apr 17 12:16:46 csmodm mDNSResponder: ERROR: Only name server claiming responsibility for "_kerberos.csmodm." is "."! Apr 17 12:18:15 csmodm /usr/sbin/PasswordService: client response doesn't match what we generated[/code] Although the machine resolves properly (reverse-forward) when queried from the CLI, is there something that we can check at the DNS server to ensure that is perfectly configured? Any clues greatly appreciated! Eric