[Last Call] Learn how to a build a cloud-first strategyRegister Now


WSUS on server 2012 DC . . . .

Posted on 2014-08-19
Medium Priority
Last Modified: 2016-02-20
I have deployed a few Server 2012 installations now and have WSUS running on 2 of them. On a more recent install I paid more attention to the BPA results and saw that WSUS should not be installed on a DC !!!! Previous to 2012 I used to deploy SBS2003 and SBS2008 with WSUS all over the place as standard install - al past the BPA with no problem.

Is this a reality or more positioning on Microsoft's part, similar to 'don't install SQL on a domain controller' - which is really a warning for when the server is supporting a large number of users rather then typical SBS type installations with say 10 users.

Would like to know WSUS on a DC is a real No-no and what happens if you do ??? So should I really uninstall my existing WSUS installations.

Question by:TrevorWhite
  • 2
  • 2

Assisted Solution

stu29 earned 2000 total points
ID: 40270419

This is more of an "opinion" than anything else.  If you want to stick to strict security practices then you should not install anything on your DC except essential services as any other services will expand the attack vector.  Thus ..... if you install WSUS on your DC then you install all the added components (IIS etc) which usually is not a preference on a DC.

That being said .... if you take the appropriate compensating measures to minimize the risk of attack then there is nothing to stop you running WSUS on your DC.

In one of my small Domains I run WSUS on my DC as having another server does not make any sense, but the segment is secure.  In my larger domains then I would not run this (or any other non essential services) on my DC

Hope this help


Author Comment

ID: 40270620
Hi Stu
Thanks for your time with this, I thought this was the background but MS seem to state it a bit more strongly than you suggest here http://technet.microsoft.com/en-us/library/ff646928(WS.10).aspx

Any comment ???


Accepted Solution

stu29 earned 2000 total points
ID: 40270827
I have been running WSUS on my DC for over a year now with no issues or access problems.  That article also refers to server 2003 all the way through .. and I have run WSUS on all of those versions at different times :-)

One caveat though ... I never upgrade DC's, but rather replace them ... so I don't know if you would see any issues at that point.  And upgrading WSUS .. they do not release newer version of this very often, so upgrading this product shoud not be a huge issue.

Microsoft will always cover their behinds with articles like this.  It means that they do not have to support you in this situation.  So if you rely on M$ support then I would think twice about installing WSUS on your DC.  If you do not then I think you will be OK (see security issue above).  Worst case scenario .. if at some point down the line you feel less comfortable you can always migrate the WSUS install to another server (http://www.tekronin.net/2014/02/07/migrating-wsus-3-2-to-windows-server-2012-r2/).  

Good luck!

Author Comment

ID: 40270981
Thanks Stu,
Yes I think you are right, I have had much the same experience. Its just thought that perhaps some of the occasional instabilities one see's (WSUS 3 clean-ups freezing for instance) may have finally been traced to some issue related to being on a DC.

I think I'll stick with it (and leave this new server with WSUS) and keep an eye on event logs etc.


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question