Problems with Kerberos and Mobile accounts in a magic triangle setup.

Hello I'm currently testing out a magic triangle setup to migrate Mac user authentication off the ODM we use just for our department and onto the AD that provides services for the wider campus. Through a magic triangle setup I can have AD user accounts authenticate and log on to a Mac client and through the magic of augmented records they have Mac server hosted home folders as network users. Using MCX on the group to specify a syncronisation URL I've also been able to create PHDs that sync back to the same home folders. All this has been tested with a 10.6 client and a 10.6 server and so far, so good, but now there are a few issues with the setup. First, kerberos seems to be broken. From a windows client I can access kerberised services on both the mac server and the wider AD with single sign on. However from Mac clients I am asked for credentials every time. I appear to get a a TGT krbtgt/AD.DOMAIN.COM@AD.DOMAIN.COM for default principal username@AD.DOMAIN.COM. The problem appears to be that most services are on servers with addreses server.domain.com, if I access a service from a server with an address server.ad.domain.com then I get a ticket and the service works. I'm guessing that either the wrong information is being pulled from the AD or the Mac clients are misinterpreting it but lack sufficient understanding of how kerberos is configured to fix it. The second issue I'm having is that when the test client is disconnected from the network I still get the option for "Other..." logins and mobile accounts that I have created cannot logon. I assume this is because the system still thinks that it should be able to contact either the AD servers or the ODM despite the fact that it isn't connected to the network and in fact cannot. Any advice and/or assistance with these issues would be appreciated.