I know it's not best practice to install WSUS on a DC, and I've read conflicting opinions on the subject ranging from it's fine to don't do it.
Here's my question. When installing WSUS you need to install IIS. Is that the main reason it's ill-advised to run WSUS on a DC? If so, since it's not a public facing web server, does that decrease your vulnerability? I realize that IIS can increase your attack surface, but wouldn't that be mostly for public facing web servers? Where they would then be connecting to the box and could compromise your security database?
I'm just trying to dig a bit deeper into the topic. Thanks in advance for your thoughts.