I have a main site with one w2000-sp4 DC, and an ISA on a separate server. I have 3 remote sites, with ISA boxes that initiate a VPN gateway connection back to the main site. I now want to upgrade the remote ISAs to DCs, in the same domain as the main site. I read Tom's articles on the subject and near the end of part 2 (http://www.isaserver.org/tutorials/gatewaytogatewaywithdcpart2.html) it talks about how to eliminate bogus DNS entries associated with virtual and external IPs of the ISA box. I made the changes and now am having a hard time setting up sites and configuring replication. I THINK the root of the problem is that the ISAs (now DNS servers) do not register their services (ldap, GC, site affiliations, etc) because of the reg edits. So, does it make sense to eliminate (temporarily) the reg edits, allowing registering of services for say 24hrs, then re-do the edits?!?!? Thanks, Mike