So, I'm just looking for some sanity checking as well as answer a couple
questions on my procedures to make sure that I am doing everything correctly.

There's an IDV tree, a file and print tree, an AD domain and a couple
remote eDir sites that each have their own tree.

The passwords need to sync between all of the trees/domain. The remote
sites will always be a subset of the IDV. Everything is connected to the IDV.

Am I correct in assuming that Universal Password needs to be used on all of
the systems since we need that password to propagate to the other systems.

I know between eDir trees you can use public key/private key to synchronize
NDS password, but that won't propogate to the other eDir trees will it, and
certainly not the AD tree, right?

What I planned on using was publishing to Universal and distribution
passwords for all of the drivers. Is this the best/safest path? A
coworker has apparently encountered/heard of a situation where NMAS
authentication can put a lot of extra load on the server.. should this be a
concern?

Thanks in advance. Hopefully this is an easy question for all those IDM
gurus out there.