Solved

WSUS on a DC

Posted on 2010-11-11
3
623 Views
Last Modified: 2012-05-10
I know it's not best practice to install WSUS on a DC, and I've read conflicting opinions on the subject ranging from it's fine to don't do it.

Here's my question.  When installing WSUS you need to install IIS.  Is that the main reason it's ill-advised to run WSUS on a DC?  If so, since it's not a public facing web server, does that decrease your vulnerability?  I realize that IIS can increase your attack surface, but wouldn't that be mostly for public facing web servers?  Where they would then be connecting to the box and could compromise your security database?

I'm just trying to dig a bit deeper into the topic.  Thanks in advance for your thoughts.
0
Comment
Question by:Kram80
3 Comments
 
LVL 23

Accepted Solution

by:
jakethecatuk earned 42 total points
ID: 34113132
Microsoft's view of the world is nothing is installed on a DC.  They will accept DNS and DHCP, but nothing else.  Obviously SBS bends this rule - but it's Microsoft's rule to bend.

The main reason is recoverability of the server if it goes TU.  If it's only doing AD (and maybe DNS and DHCP), recovery is simple and straight forward.

I've never done it - I'd rather run my DC on a couple of old PC's in the corner.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 42 total points
ID: 34113159
Any box that is only on the internal network will be safer than a public box so in that sense yes.

In general the reasons not to put other apps on a DC are for performance (other app can take resources), uptime (box may need to be ore often due to the app) and another security issue is what if the WSUS admins are different from your DA...now they need access to the server/DC.

Thanks

Mike
0
 
LVL 5

Assisted Solution

by:TheMetalicOne
TheMetalicOne earned 41 total points
ID: 34115464
There are a lot of best practices out there.  WSUS on a DC is not one of them, but, best practices are generally based on ideal scenarios and environments too.  SBS bends the rules because in a 10 user environment it isnt reasonable to expect a client to put in a second box.

Many of the things you ask about really come down to a single question:  How many users are you serving up?  

If your DC and WSUS are taking care of less than 100 users then there is probably only one IT guy as well, so the DC administrator is also the same guy as the WSUS admin.  The box is inside your network so as long as your lan is secure, my concern with doing this is minimal.   The performance hit to your DC wont be significant enough to worry about.  Schedule your update grabs for the middle of the night and do your updates at night too.  WSUS will be idle for the rest of the time for the most part. Go for it!

IF however your are handling thousands of users, then that changes the story and putting your WSUS on a DC is not a good idea for security and performance issues as even though your server is inside, you still have thousands of users to worry about bringing a bug in on you (or just getting curious),  Not only that, but then you need a bit more processor to handle all the requests.

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now