?
Solved

Best practices to update DC's from WSUS

Posted on 2014-10-20
5
Medium Priority
?
783 Views
Last Modified: 2016-02-20
I'm looking for standard best practices for updating Windows 2008 R2 and 2012 R2 domain controllers using WSUS. We have a dedicated WSUS VM server, so we are not installing WSUS on a DC. So far, as a best practice, we are staggering the WSUS updating to our DC's to once a week, on the weekend in at 3:00am, with a reboot 15 minutes after update install.

Are there any other best practices that should be followed? Such as, not installing updates to DC's through WSUS at all, instead, update manually? Etc., etc.
0
Comment
Question by:nurturer69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40392610
i would update manually unless you have a large environment where domain controllers are not in the same OU
if they are all in the same OU, do it manually since using a GPO would cause them all to update at the same time then you have issue if they are all in the reboot process
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40392626
DC should be updated as soon as patches are out, if security matters.
They should not be updated at the same time, correct. And if you don't trust the update process, update them on different days (one half immediately, the other half on the next day). I see no reasons to update manually.
0
 

Author Comment

by:nurturer69
ID: 40392793
The plan was to move the DC's one per week, from a Critical Servers management group (which was not configured to receive updates) to the Windows 2012 R2 management group, which was configured via GPO to receive updates. A simple right-click, left-click step to move one DC a week. Then, return the DC back to it's benign Critical Servers group after the update had completed the following Monday morning.
0
 

Author Comment

by:nurturer69
ID: 40392812
I forgot to mention, that in the Group Policy Management Editor of each DC, I found a GPO configured at the top of the AD tree attached to the domain name with "Configure Automatic Updates" disabled. As the description reads: "Specifies whether THIS computer will receive security updates and other important downloads through the Windows automatic updating service."

So, I believe this GPO was created to prevent WSUS from updating the DC's, hence the grayed out portion of the "Never check for updates (Not recommended)" being grayed out.

I'm also for updating the DC's via WSUS in a staggered fashion, but I wanted to see if there was a preferred best method amongst the experts.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1500 total points
ID: 40392816
You don't move objects around. Use security filtering instead.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses
Course of the Month12 days, 9 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question