I'm looking for standard best practices for updating Windows 2008 R2 and 2012 R2 domain controllers using WSUS. We have a dedicated WSUS VM server, so we are not installing WSUS on a DC. So far, as a best practice, we are staggering the WSUS updating to our DC's to once a week, on the weekend in at 3:00am, with a reboot 15 minutes after update install.
Are there any other best practices that should be followed? Such as, not installing updates to DC's through WSUS at all, instead, update manually? Etc., etc.