Solved

Best practices to update DC's from WSUS

Posted on 2014-10-20
5
600 Views
Last Modified: 2016-02-20
I'm looking for standard best practices for updating Windows 2008 R2 and 2012 R2 domain controllers using WSUS. We have a dedicated WSUS VM server, so we are not installing WSUS on a DC. So far, as a best practice, we are staggering the WSUS updating to our DC's to once a week, on the weekend in at 3:00am, with a reboot 15 minutes after update install.

Are there any other best practices that should be followed? Such as, not installing updates to DC's through WSUS at all, instead, update manually? Etc., etc.
0
Comment
Question by:nurturer69
  • 2
  • 2
5 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40392610
i would update manually unless you have a large environment where domain controllers are not in the same OU
if they are all in the same OU, do it manually since using a GPO would cause them all to update at the same time then you have issue if they are all in the reboot process
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40392626
DC should be updated as soon as patches are out, if security matters.
They should not be updated at the same time, correct. And if you don't trust the update process, update them on different days (one half immediately, the other half on the next day). I see no reasons to update manually.
0
 

Author Comment

by:nurturer69
ID: 40392793
The plan was to move the DC's one per week, from a Critical Servers management group (which was not configured to receive updates) to the Windows 2012 R2 management group, which was configured via GPO to receive updates. A simple right-click, left-click step to move one DC a week. Then, return the DC back to it's benign Critical Servers group after the update had completed the following Monday morning.
0
 

Author Comment

by:nurturer69
ID: 40392812
I forgot to mention, that in the Group Policy Management Editor of each DC, I found a GPO configured at the top of the AD tree attached to the domain name with "Configure Automatic Updates" disabled. As the description reads: "Specifies whether THIS computer will receive security updates and other important downloads through the Windows automatic updating service."

So, I believe this GPO was created to prevent WSUS from updating the DC's, hence the grayed out portion of the "Never check for updates (Not recommended)" being grayed out.

I'm also for updating the DC's via WSUS in a staggered fashion, but I wanted to see if there was a preferred best method amongst the experts.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40392816
You don't move objects around. Use security filtering instead.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question