> One question if I may just butt in just a second please. Only one GC per > site? I have been running two on our single site of about 50 machines for > several months without error. If I had a user location with say 180 users > and a total of 225 machines and all on one IP subnet I would certainly want > more than one GC? Are we talking AD Sites or IP Subnets as sites? I assume > the former in which case I have another question. Whilst creating Sites is > recommended it is not compulsory and whilst AD may not work as well without > them it isn't a prerequisite as I understand so what is the problem with > multiple GC's' per Site? While you can have more than one GC per site, (as defined in AD Sites and Services,) it can lead to replication problems. Remember, the purpose of the GC is to keep a catalog of all objects in the forest and each domain, and what domain and group those objects belong to. It has nothing to do with permissions assigned. You have to have one per domain, and it is highly recommended to have one per site (when there is more than one site for a domain). If you concern is user login, the only time the GC is absolutely required for login is when a user logs into a computer for the first time and when changing a password while logged on the UPN. (user@xxxxxxxxxx) The GC is queried to determine group memberships and to which domain the user belongs and which DC to query. It does not respond with permissions, only what Universal Groups the user may be a part of. (Domain group membership comes from the DC of the domain.) What permissions those groups may have are still determined by the appropriate DC. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com