Solved

WSUS on a DC

Posted on 2010-11-11
3
622 Views
Last Modified: 2012-05-10
I know it's not best practice to install WSUS on a DC, and I've read conflicting opinions on the subject ranging from it's fine to don't do it.

Here's my question.  When installing WSUS you need to install IIS.  Is that the main reason it's ill-advised to run WSUS on a DC?  If so, since it's not a public facing web server, does that decrease your vulnerability?  I realize that IIS can increase your attack surface, but wouldn't that be mostly for public facing web servers?  Where they would then be connecting to the box and could compromise your security database?

I'm just trying to dig a bit deeper into the topic.  Thanks in advance for your thoughts.
0
Comment
Question by:Kram80
3 Comments
 
LVL 23

Accepted Solution

by:
jakethecatuk earned 42 total points
ID: 34113132
Microsoft's view of the world is nothing is installed on a DC.  They will accept DNS and DHCP, but nothing else.  Obviously SBS bends this rule - but it's Microsoft's rule to bend.

The main reason is recoverability of the server if it goes TU.  If it's only doing AD (and maybe DNS and DHCP), recovery is simple and straight forward.

I've never done it - I'd rather run my DC on a couple of old PC's in the corner.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 42 total points
ID: 34113159
Any box that is only on the internal network will be safer than a public box so in that sense yes.

In general the reasons not to put other apps on a DC are for performance (other app can take resources), uptime (box may need to be ore often due to the app) and another security issue is what if the WSUS admins are different from your DA...now they need access to the server/DC.

Thanks

Mike
0
 
LVL 5

Assisted Solution

by:TheMetalicOne
TheMetalicOne earned 41 total points
ID: 34115464
There are a lot of best practices out there.  WSUS on a DC is not one of them, but, best practices are generally based on ideal scenarios and environments too.  SBS bends the rules because in a 10 user environment it isnt reasonable to expect a client to put in a second box.

Many of the things you ask about really come down to a single question:  How many users are you serving up?  

If your DC and WSUS are taking care of less than 100 users then there is probably only one IT guy as well, so the DC administrator is also the same guy as the WSUS admin.  The box is inside your network so as long as your lan is secure, my concern with doing this is minimal.   The performance hit to your DC wont be significant enough to worry about.  Schedule your update grabs for the middle of the night and do your updates at night too.  WSUS will be idle for the rest of the time for the most part. Go for it!

IF however your are handling thousands of users, then that changes the story and putting your WSUS on a DC is not a good idea for security and performance issues as even though your server is inside, you still have thousands of users to worry about bringing a bug in on you (or just getting curious),  Not only that, but then you need a bit more processor to handle all the requests.

0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now