Hi You probably had a problem in which, there are variety of servers, devices and services(Directory, App, DB and Mail etc) to manage(call it administration case) plus users which use some of those front Service for the business(call it user case). I think each domain, either user case or admin case, has some special concerns which might be best to handled separated. Security-wise, I was thinking it should be good practice to isolate authentication infrastructure of Administration Cases from authentication infrastructure of Users Cases, which means, to have 2 Directory Services as Auth DB, one for Administrators and second for Users, Windows Servers and Application servers use the Admin Auth DB as authentication provider, then Business Applications, Windows Workstations, Office Automation, Portal and Mail Service use User Auth DB as authentication Provider. Also in PKI infrastructure back-end doing the same in all the roles, except root CA. This way I think we could apply specific concerns and efforts for each of authentication infrastructure domains separated, that gives manageability, security and special availability. I want to know your opinion about this architecture/approach. Cheers