WSUS on server 2012 DC . . . .

Posted on 2014-08-19
Last Modified: 2016-02-20
I have deployed a few Server 2012 installations now and have WSUS running on 2 of them. On a more recent install I paid more attention to the BPA results and saw that WSUS should not be installed on a DC !!!! Previous to 2012 I used to deploy SBS2003 and SBS2008 with WSUS all over the place as standard install - al past the BPA with no problem.

Is this a reality or more positioning on Microsoft's part, similar to 'don't install SQL on a domain controller' - which is really a warning for when the server is supporting a large number of users rather then typical SBS type installations with say 10 users.

Would like to know WSUS on a DC is a real No-no and what happens if you do ??? So should I really uninstall my existing WSUS installations.

Question by:TrevorWhite
    LVL 9

    Assisted Solution


    This is more of an "opinion" than anything else.  If you want to stick to strict security practices then you should not install anything on your DC except essential services as any other services will expand the attack vector.  Thus ..... if you install WSUS on your DC then you install all the added components (IIS etc) which usually is not a preference on a DC.

    That being said .... if you take the appropriate compensating measures to minimize the risk of attack then there is nothing to stop you running WSUS on your DC.

    In one of my small Domains I run WSUS on my DC as having another server does not make any sense, but the segment is secure.  In my larger domains then I would not run this (or any other non essential services) on my DC

    Hope this help


    Author Comment

    Hi Stu
    Thanks for your time with this, I thought this was the background but MS seem to state it a bit more strongly than you suggest here

    Any comment ???

    LVL 9

    Accepted Solution

    I have been running WSUS on my DC for over a year now with no issues or access problems.  That article also refers to server 2003 all the way through .. and I have run WSUS on all of those versions at different times :-)

    One caveat though ... I never upgrade DC's, but rather replace them ... so I don't know if you would see any issues at that point.  And upgrading WSUS .. they do not release newer version of this very often, so upgrading this product shoud not be a huge issue.

    Microsoft will always cover their behinds with articles like this.  It means that they do not have to support you in this situation.  So if you rely on M$ support then I would think twice about installing WSUS on your DC.  If you do not then I think you will be OK (see security issue above).  Worst case scenario .. if at some point down the line you feel less comfortable you can always migrate the WSUS install to another server (  

    Good luck!

    Author Comment

    Thanks Stu,
    Yes I think you are right, I have had much the same experience. Its just thought that perhaps some of the occasional instabilities one see's (WSUS 3 clean-ups freezing for instance) may have finally been traced to some issue related to being on a DC.

    I think I'll stick with it (and leave this new server with WSUS) and keep an eye on event logs etc.


    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now