I know that it's a generally accepted bad practice... Here is the situation. I've got a DMZ with it's own NT4 domain, and currently the domain controllers are very old and slow machines (Original Pentium's, ~64MB Memory). The DC's work out just fine for now, that's all they're doing and the load is very light. However, I'm planning an AD migration and would like to extend that to this domain by making it a tree within our new forest. The only machines I've got that are capable of running win2k with any sort of speed are the servers in the DMZ themselves. So, what exactly are the security implications of making one of the less used IIS boxes a DC for the DMZ? Please keep in mind that it will also have trusts back into our production domains outside of the DMZ. I don't think that I'm going to be able to purchase new hardware to serve as domain controllers to get this done. Money is just too tight right now. Thanks, Aaron ----------------------- Aaron Dokey - MIS Reid Tool Supply 2265 Black Creek Rd. Muskegon, MI 49444 (231) 777-3951 (231) 767-3772 (Direct) ----------------------- ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm