?
Solved

WSUS on a DC

Posted on 2010-11-11
3
Medium Priority
?
628 Views
Last Modified: 2012-05-10
I know it's not best practice to install WSUS on a DC, and I've read conflicting opinions on the subject ranging from it's fine to don't do it.

Here's my question.  When installing WSUS you need to install IIS.  Is that the main reason it's ill-advised to run WSUS on a DC?  If so, since it's not a public facing web server, does that decrease your vulnerability?  I realize that IIS can increase your attack surface, but wouldn't that be mostly for public facing web servers?  Where they would then be connecting to the box and could compromise your security database?

I'm just trying to dig a bit deeper into the topic.  Thanks in advance for your thoughts.
0
Comment
Question by:Kram80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 23

Accepted Solution

by:
jakethecatuk earned 168 total points
ID: 34113132
Microsoft's view of the world is nothing is installed on a DC.  They will accept DNS and DHCP, but nothing else.  Obviously SBS bends this rule - but it's Microsoft's rule to bend.

The main reason is recoverability of the server if it goes TU.  If it's only doing AD (and maybe DNS and DHCP), recovery is simple and straight forward.

I've never done it - I'd rather run my DC on a couple of old PC's in the corner.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 168 total points
ID: 34113159
Any box that is only on the internal network will be safer than a public box so in that sense yes.

In general the reasons not to put other apps on a DC are for performance (other app can take resources), uptime (box may need to be ore often due to the app) and another security issue is what if the WSUS admins are different from your DA...now they need access to the server/DC.

Thanks

Mike
0
 
LVL 5

Assisted Solution

by:TheMetalicOne
TheMetalicOne earned 164 total points
ID: 34115464
There are a lot of best practices out there.  WSUS on a DC is not one of them, but, best practices are generally based on ideal scenarios and environments too.  SBS bends the rules because in a 10 user environment it isnt reasonable to expect a client to put in a second box.

Many of the things you ask about really come down to a single question:  How many users are you serving up?  

If your DC and WSUS are taking care of less than 100 users then there is probably only one IT guy as well, so the DC administrator is also the same guy as the WSUS admin.  The box is inside your network so as long as your lan is secure, my concern with doing this is minimal.   The performance hit to your DC wont be significant enough to worry about.  Schedule your update grabs for the middle of the night and do your updates at night too.  WSUS will be idle for the rest of the time for the most part. Go for it!

IF however your are handling thousands of users, then that changes the story and putting your WSUS on a DC is not a good idea for security and performance issues as even though your server is inside, you still have thousands of users to worry about bringing a bug in on you (or just getting curious),  Not only that, but then you need a bit more processor to handle all the requests.

0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month11 days, 7 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question