I agree with the multiple domain trees. This is actually the proper way to distribute LDAP. Actually, this is how LDAP was designed. LDAP was made to define global location, regional locations, local locations, and then domain extension, domain, then finally uid. This makes having non-unique users in separate branches possible. Just my two cents. Gene