Hi, Please help me achieve the following , if possible technically. I am setting up Domain Contollers in the same domain.corp, but split across two departments - Dep1 and Dep2. Each department uses some application which creates objects (users/groups/OU etc) under certain top level OUs. Like Dep1 uses <root>/Dep1OU and Dep2 uses <root>/Dep2OU. So I believe if we use a multi master replication model, both the DCs will be kept in synchronization with each other. My question is, can we configure Dep1-DC in a way that it only allows writes under Dep1OU and similarly for Dep2-DC to allow write under Dep2OU. This is to prevent one department messing up with data of another. The second part of the problem is - we want to keep track of the changes using Windows 2008 security auditing in Event log. Therefore, my question is, would it generate EventLog entries in the respective DCs ? or would it all get logged onto the first DC added to the system (Dep1-DC in this case) So far I have achieved this 1) added Dep1-DC 2) added Dep2-DC as ADC Observation 1) i can make changes in any OU from any DC - need to restrict that 2) event logs for auditing (for DS Changes, I am not interested in DS Replication) is generated only in Dep1-DC, and not in Dep2-DC.

It does not matter from which DC changes are made. It's the person making the changes that matters. You need to delegate administration to users so they can only manage accounts in the OU they are responsible for. See this article: http://www.microsoft.com/downloads/en/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en And this article might help: http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx Richard MuellerMVP ADSI