Best practices to update DC's from WSUS

I'm looking for standard best practices for updating Windows 2008 R2 and 2012 R2 domain controllers using WSUS. We have a dedicated WSUS VM server, so we are not installing WSUS on a DC. So far, as a best practice, we are staggering the WSUS updating to our DC's to once a week, on the weekend in at 3:00am, with a reboot 15 minutes after update install.

Are there any other best practices that should be followed? Such as, not installing updates to DC's through WSUS at all, instead, update manually? Etc., etc.
nurturer69Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
i would update manually unless you have a large environment where domain controllers are not in the same OU
if they are all in the same OU, do it manually since using a GPO would cause them all to update at the same time then you have issue if they are all in the reboot process
0
McKnifeCommented:
DC should be updated as soon as patches are out, if security matters.
They should not be updated at the same time, correct. And if you don't trust the update process, update them on different days (one half immediately, the other half on the next day). I see no reasons to update manually.
0
nurturer69Author Commented:
The plan was to move the DC's one per week, from a Critical Servers management group (which was not configured to receive updates) to the Windows 2012 R2 management group, which was configured via GPO to receive updates. A simple right-click, left-click step to move one DC a week. Then, return the DC back to it's benign Critical Servers group after the update had completed the following Monday morning.
0
nurturer69Author Commented:
I forgot to mention, that in the Group Policy Management Editor of each DC, I found a GPO configured at the top of the AD tree attached to the domain name with "Configure Automatic Updates" disabled. As the description reads: "Specifies whether THIS computer will receive security updates and other important downloads through the Windows automatic updating service."

So, I believe this GPO was created to prevent WSUS from updating the DC's, hence the grayed out portion of the "Never check for updates (Not recommended)" being grayed out.

I'm also for updating the DC's via WSUS in a staggered fashion, but I wanted to see if there was a preferred best method amongst the experts.
0
McKnifeCommented:
You don't move objects around. Use security filtering instead.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.