Greetings, I was told to bring my issue to this distribution. Six months or so ago I was tasked with setting up a Kerberos/LDAP Authentication server. After a month of headaches I finally got it to work - Then I relaized it would be a monster to maintain. Then a peer asked me to have a look at FreeIPA. Wow. Installed it - was amazed. Runs great. We love it. ...A few days ago, I was notified I have to change my domain/REALM in FreeIPA. I read the manual, google searches ... crickets. I hear crickets. I started spitting blood in the trash can. I joined a forum and asked for any information, and I was pointed here....so...here goes... My Current Configuration - We have two (2) servers. Both are installed with ipa-server-3.0.0-26.el6_4.2.x86_64. One is a replica server. Domain: my.network.domain Realm: MY.NETWORK.DOMAIN New Proposed Configuration Domain: my.local.network.domain Realm: MY.LOCAL.NETWORK.DOMAIN Sounds easy - but the paradox is ... the beauty of FreeIPA is that it does everything under the hood for you, and the horror is that it does everything under the hood for you! There seem to be so many tentacles with KERBEROS that I am afraid of jacking something up. Now, I have written a script that uses ipa to create all of my users - except the passwords. So, what I was thinking is to shut down the replica server, re-kick it, re-install FreeIPA with the new domain/REALM and then run my deploy users script. It would be my new master. But then I would have to have "each" user log in and change their password. Then take the second server and make it the replica. Question #1: Is this a stupid idea.... Is there a way (documented or not) that I can simply change my domain/REALM? Am I making this too hard? Question #2: Is there a way to backup the users passwords and then after I re-kick, install ipa and create my users ... I can simply "import" this information into the new ipa instance. Any and all suggestions are greatly appreciated... tja