Solved

WSUS on a DC

Posted on 2010-11-11
3
627 Views
Last Modified: 2012-05-10
I know it's not best practice to install WSUS on a DC, and I've read conflicting opinions on the subject ranging from it's fine to don't do it.

Here's my question.  When installing WSUS you need to install IIS.  Is that the main reason it's ill-advised to run WSUS on a DC?  If so, since it's not a public facing web server, does that decrease your vulnerability?  I realize that IIS can increase your attack surface, but wouldn't that be mostly for public facing web servers?  Where they would then be connecting to the box and could compromise your security database?

I'm just trying to dig a bit deeper into the topic.  Thanks in advance for your thoughts.
0
Comment
Question by:Kram80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 23

Accepted Solution

by:
jakethecatuk earned 42 total points
ID: 34113132
Microsoft's view of the world is nothing is installed on a DC.  They will accept DNS and DHCP, but nothing else.  Obviously SBS bends this rule - but it's Microsoft's rule to bend.

The main reason is recoverability of the server if it goes TU.  If it's only doing AD (and maybe DNS and DHCP), recovery is simple and straight forward.

I've never done it - I'd rather run my DC on a couple of old PC's in the corner.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 42 total points
ID: 34113159
Any box that is only on the internal network will be safer than a public box so in that sense yes.

In general the reasons not to put other apps on a DC are for performance (other app can take resources), uptime (box may need to be ore often due to the app) and another security issue is what if the WSUS admins are different from your DA...now they need access to the server/DC.

Thanks

Mike
0
 
LVL 5

Assisted Solution

by:TheMetalicOne
TheMetalicOne earned 41 total points
ID: 34115464
There are a lot of best practices out there.  WSUS on a DC is not one of them, but, best practices are generally based on ideal scenarios and environments too.  SBS bends the rules because in a 10 user environment it isnt reasonable to expect a client to put in a second box.

Many of the things you ask about really come down to a single question:  How many users are you serving up?  

If your DC and WSUS are taking care of less than 100 users then there is probably only one IT guy as well, so the DC administrator is also the same guy as the WSUS admin.  The box is inside your network so as long as your lan is secure, my concern with doing this is minimal.   The performance hit to your DC wont be significant enough to worry about.  Schedule your update grabs for the middle of the night and do your updates at night too.  WSUS will be idle for the rest of the time for the most part. Go for it!

IF however your are handling thousands of users, then that changes the story and putting your WSUS on a DC is not a good idea for security and performance issues as even though your server is inside, you still have thousands of users to worry about bringing a bug in on you (or just getting curious),  Not only that, but then you need a bit more processor to handle all the requests.

0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question