Solved

Best practices to update DC's from WSUS

Posted on 2014-10-20
5
490 Views
Last Modified: 2016-02-20
I'm looking for standard best practices for updating Windows 2008 R2 and 2012 R2 domain controllers using WSUS. We have a dedicated WSUS VM server, so we are not installing WSUS on a DC. So far, as a best practice, we are staggering the WSUS updating to our DC's to once a week, on the weekend in at 3:00am, with a reboot 15 minutes after update install.

Are there any other best practices that should be followed? Such as, not installing updates to DC's through WSUS at all, instead, update manually? Etc., etc.
0
Comment
Question by:nurturer69
  • 2
  • 2
5 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40392610
i would update manually unless you have a large environment where domain controllers are not in the same OU
if they are all in the same OU, do it manually since using a GPO would cause them all to update at the same time then you have issue if they are all in the reboot process
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40392626
DC should be updated as soon as patches are out, if security matters.
They should not be updated at the same time, correct. And if you don't trust the update process, update them on different days (one half immediately, the other half on the next day). I see no reasons to update manually.
0
 

Author Comment

by:nurturer69
ID: 40392793
The plan was to move the DC's one per week, from a Critical Servers management group (which was not configured to receive updates) to the Windows 2012 R2 management group, which was configured via GPO to receive updates. A simple right-click, left-click step to move one DC a week. Then, return the DC back to it's benign Critical Servers group after the update had completed the following Monday morning.
0
 

Author Comment

by:nurturer69
ID: 40392812
I forgot to mention, that in the Group Policy Management Editor of each DC, I found a GPO configured at the top of the AD tree attached to the domain name with "Configure Automatic Updates" disabled. As the description reads: "Specifies whether THIS computer will receive security updates and other important downloads through the Windows automatic updating service."

So, I believe this GPO was created to prevent WSUS from updating the DC's, hence the grayed out portion of the "Never check for updates (Not recommended)" being grayed out.

I'm also for updating the DC's via WSUS in a staggered fashion, but I wanted to see if there was a preferred best method amongst the experts.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40392816
You don't move objects around. Use security filtering instead.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to get AD RMS to work with Office 2016 for Mac 6 155
Can't install Citrix Receiver anymore 10 69
Extend a Partition 6 32
SBS 2008 Standard OEL 2 10
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now