• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 630
  • Last Modified:

WSUS on a DC

I know it's not best practice to install WSUS on a DC, and I've read conflicting opinions on the subject ranging from it's fine to don't do it.

Here's my question.  When installing WSUS you need to install IIS.  Is that the main reason it's ill-advised to run WSUS on a DC?  If so, since it's not a public facing web server, does that decrease your vulnerability?  I realize that IIS can increase your attack surface, but wouldn't that be mostly for public facing web servers?  Where they would then be connecting to the box and could compromise your security database?

I'm just trying to dig a bit deeper into the topic.  Thanks in advance for your thoughts.
0
Kram80
Asked:
Kram80
3 Solutions
 
jakethecatukCommented:
Microsoft's view of the world is nothing is installed on a DC.  They will accept DNS and DHCP, but nothing else.  Obviously SBS bends this rule - but it's Microsoft's rule to bend.

The main reason is recoverability of the server if it goes TU.  If it's only doing AD (and maybe DNS and DHCP), recovery is simple and straight forward.

I've never done it - I'd rather run my DC on a couple of old PC's in the corner.
0
 
Mike KlineCommented:
Any box that is only on the internal network will be safer than a public box so in that sense yes.

In general the reasons not to put other apps on a DC are for performance (other app can take resources), uptime (box may need to be ore often due to the app) and another security issue is what if the WSUS admins are different from your DA...now they need access to the server/DC.

Thanks

Mike
0
 
TheMetalicOneCommented:
There are a lot of best practices out there.  WSUS on a DC is not one of them, but, best practices are generally based on ideal scenarios and environments too.  SBS bends the rules because in a 10 user environment it isnt reasonable to expect a client to put in a second box.

Many of the things you ask about really come down to a single question:  How many users are you serving up?  

If your DC and WSUS are taking care of less than 100 users then there is probably only one IT guy as well, so the DC administrator is also the same guy as the WSUS admin.  The box is inside your network so as long as your lan is secure, my concern with doing this is minimal.   The performance hit to your DC wont be significant enough to worry about.  Schedule your update grabs for the middle of the night and do your updates at night too.  WSUS will be idle for the rest of the time for the most part. Go for it!

IF however your are handling thousands of users, then that changes the story and putting your WSUS on a DC is not a good idea for security and performance issues as even though your server is inside, you still have thousands of users to worry about bringing a bug in on you (or just getting curious),  Not only that, but then you need a bit more processor to handle all the requests.

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now