>We received a lot of good information from the Windows Higher Ed list, but
>I thought it might be valuable to get feedback from the folks who support
>external KDCs as well. Are there any major gotchas that those of us
>who support Kerberos or the Windows community at large should be aware

The big one is to make sure you don't configure your AD domain with the
same name as your "external" (I don't personally like that word in this
context) realm. E.g., you don't want "WAM.UMD.EDU" to be the name of both
your Kerberos realm and AD domain. If you do that, you will be setting
yourself up for massive pain down the road.