See my comments.......

1) site  collections can use Forms Authentication and AD Authentication.
Can they use BOTH, or is it an either/or situation?

Reply> Authentication is set at the Zone (Web Application) level. You can
have two different Zones that point at the same content. Authentication is
dependent on which URL the user uses to access the content. So you could
have an Extranet that is Forms Authenticated, an Intranet that is AD
authenticated, and an Internet that is Anonymous Access all pointing to the
exact same content.

2) We're looking at using a 4-server  farm (2 front  end SP servers, 2
backend sql  servers). Is there a general  rule of thumb as to when it
becomes necessary to offload search/index to a 5th server?

Reply> This is all going to be very dependent on how you use search  and
Indexing. If you are going to index a lot of non-Sharepoint content like
Legacy files on Network Shares, web sites, Exchange Public Folders, etc you
will probably want a separate server. If you are just accessing Sharepoint
and your content is not highly volatile you should be able to do it with
just the 4 servers  you listed above. The key is to take a good baseline and
then frequently check performance counters during regular operation to
predict when you need to get more resources.

3) My understanding  is that there is a way to have MOSS 'talk' directly
to one of your AD domains  to add  users to AD directly  from MOSS. Is that
true? If so, what is this feature/add-on called? (We're not against
using AD, but we are against having IT having to add/maintain users  in a
domain that are from outside our organization)

Reply> WSS has an Account Creation Mode, but this didn't work with Portal in
2003 and I don't think it works with MOSS in 2007. The real problem is that
you can only set it at Installation time and if you go this route you can't
use existing accounts in AD with Sharepoint. You can only use the ones
created through Account Creation Mode. So all your regular users will have
both an AD and a Sharepoint account. Rather than going this route you might
want to investigate Forms Based Authentication using LDAP. Using this you
can point users at your regular AD, but there is also a .net 2.0 control
that can be added to the Login page to register users and create accounts in
AD on the fly.

thanks for the info. Some follow-up questions...

> PPS> Authentication is set at the Zone (Web Application)
> level. You can
> have two different Zones that point at the same content.

If I do that, what is the same and was is unique between the two web
apps? For instsance, if someone customizes their masterpage for their
AD-authenticated web app sites, do they then need to go and modify their
masterpage for their Forms-authenticated web app sites? If they make a
new document list in one app, do they have to make it in the other one
as well?

The scenario we are trying to address is that we're going to have a team
collaboration portal (web app) with the front-end server sitting in our
DMZ zone. We'd like to be able to authenticate internal users  via AD,
and external users via forms. It sounds like from what you're saying
that we could just have two portals, both pointing at the same DB. My
question is if that doubles the maintenance to keep both portals
in-synch in terms of page layout/templates/permissions/etc.


> Rather than going this
> route you might want to investigate forms  Based
> Authentication using LDAP. Using this you can point users at
> your regular AD, but there is also a .net 2.0 control that
> can be added to the Login page to register users and create
> accounts in AD on the fly.

That's interesting. Is this web control a MS product or a 3rd party
control?

If I do that, what is the same and was is unique between the two web
apps? For instsance, if someone customizes their masterpage for their
AD-authenticated web app sites, do they then need to go and modify their
masterpage for their Forms-authenticated web app sites? If they make a
new document list in one app, do they have to make it in the other one
as well?

Reply> Content is the same for both Zones. The only differences you will see
all relate back to issues  around not having a windows identity on the server
when running forms  Based. For example, users  will still be able to open
documents and save documents to a library, but the New button won't be there
for FBA users because it won't work right.

The scenario we are trying to address is that we're going to have a team
collaboration portal (web app) with the front-end server sitting in our
DMZ zone. We'd like to be able to authenticate internal users via AD,
and external users via forms. It sounds like from what you're saying
that we could just have two portals, both pointing at the same DB. My
question is if that doubles the maintenance to keep both portals
in-synch in terms of page layout/templates/permissions/etc.

Reply> Although there are two portal addresses, there is only one portal.
The content is only stored once in a single content database. You just have
two slightly different URLs to get to the content.

> Rather than going this
> route you might want to investigate Forms Based
> authentication  using LDAP. Using this you can point users at
> your regular AD, but there is also a .net 2.0 control that
> can be added to the Login page to register users and create
> accounts in AD on the fly.

That's interesting. Is this web control a MS product or a 3rd party
control?

Reply> Sharepoint uses standard .NET 2.0 pluggable authentication. The
Register User control (it's a server control not a webpart) is a regular
ASP.NET 2.0 control. Sharepoint has a login page for FBA that has the Login
control on it, but some of the other controls like the user registration
control can also be added. Its all stock ASP.NET 2.0 including the LDAP
membership provider.