How to create a manageable DMZ architecture?



My problem is that there are services on my internal LAN, such as
Kerberos, NTP, DNS queries & xfers, etc, that I need my servers on my
DMZs to access. I am thinking of building 2 DMZs; one for my web
servers and the other for my DB servers. After doing a little DMZ
design research I found two threads that make me wonder:

1) Never let a server on a public accessible DMZ segment initiate a
connection to a server on a higher security segment (i.e. server in
the LAN).

2) To allow administrative access to servers in the DMZ, create an out-
of-band management subnet by installing another NIC on each of the DMZ
servers. This dedicated NIC would allow administrative access,
Kerberos, NTP, etc. None of these servers would allow packet
forwarding.

With #1 being stated, how do you allow DMZ'ed hosts to access these
internal services that are cannot be easily replicated? Replicating
all of these services for each DMZ as well as the LAN sounds like an
administrative nightmare.

#2 made me wonder whether security is really gained. Couldn't all of
this service and administrative access take place over the main
communications channel (i.e. in-band) with less hardware and
configuration? It seems like the only thing gained would be access to
the servers via the out-of-band channel in the event of a DoS on the
in-band channel.

What are some of your DMZ design guidelines and best practices?

Would it be so bad to just poke a few holes through the firewall from
the DMZ to the LAN and then really lock down those internal servers,
not allowing them to initiate connections outside of their local
segment?
.