I have extensively reviewed the Microsoft TechNet, and I cannot find answers to the following questions. If possible, please kindly reply with links to authoritative sources, since our boss really wants to confirm that replies to this post are accurate. Background: We manage a Windows *Resource* Domain that spans multiple USA locations and multiple continents We establish External Trusts with our business partners, whereby their users can access our Windows resource servers Our partners have conditional forwarders to our internal DNS We have conditional forwarders to our partners’ internal DNS Question 1 (Firewalls and Network Routes, Global network): How do we determine which Domain Controllers need to be able to talk to our trusted partners' networks? For instance, if we have a DC in Chicago and our partner is also in Chicago, would our DC’s in India also need to be able to talk with our partners' networks? How does DNS play into this, given that querying our DNS for “resource.corp.com” results in IP addresses for all of our DC’s all over the globe? Question 2 (PDC vs. BDC in External Trusts): What are the rules for which machines need to be able to communicate in an External Domain Trust? For instance, does it have to be User PDC to Resource PDC, User PDC to Any Resource DC, Any User DC to Resource PDC , or Any User DC to Any Resource DC? Question 3 (Determine closest DC in an External Trust Relationship): For our internal machines, we use Sites and Services to configure which DC’s they should use. For External Trusts, how would our partners know which of our DC’s is closest to them, so that a partner in Chicago doesn’t try to communicate with one of our DC’s in India?