I can create a one-way trust between an Active Directory and a MIT KDC but what I'd like to know is whether Active Directory supports Kerberos Referrals (RFC 6806) as well in this scenario.
This'd allow clients to automatically figure out which hosts belong to which Realm and also which KDC to contact.
Currently, we always have to run ksetup /addkdc <...> and ksetup /addhosttorealmmap <...> on every client which is a bit tedious (I'm no Windows expert but I assume this can also be rolled out to all clients using Group Policies)
