Solved

Best practices to update DC's from WSUS

Posted on 2014-10-20
5
520 Views
Last Modified: 2016-02-20
I'm looking for standard best practices for updating Windows 2008 R2 and 2012 R2 domain controllers using WSUS. We have a dedicated WSUS VM server, so we are not installing WSUS on a DC. So far, as a best practice, we are staggering the WSUS updating to our DC's to once a week, on the weekend in at 3:00am, with a reboot 15 minutes after update install.

Are there any other best practices that should be followed? Such as, not installing updates to DC's through WSUS at all, instead, update manually? Etc., etc.
0
Comment
Question by:nurturer69
  • 2
  • 2
5 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40392610
i would update manually unless you have a large environment where domain controllers are not in the same OU
if they are all in the same OU, do it manually since using a GPO would cause them all to update at the same time then you have issue if they are all in the reboot process
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40392626
DC should be updated as soon as patches are out, if security matters.
They should not be updated at the same time, correct. And if you don't trust the update process, update them on different days (one half immediately, the other half on the next day). I see no reasons to update manually.
0
 

Author Comment

by:nurturer69
ID: 40392793
The plan was to move the DC's one per week, from a Critical Servers management group (which was not configured to receive updates) to the Windows 2012 R2 management group, which was configured via GPO to receive updates. A simple right-click, left-click step to move one DC a week. Then, return the DC back to it's benign Critical Servers group after the update had completed the following Monday morning.
0
 

Author Comment

by:nurturer69
ID: 40392812
I forgot to mention, that in the Group Policy Management Editor of each DC, I found a GPO configured at the top of the AD tree attached to the domain name with "Configure Automatic Updates" disabled. As the description reads: "Specifies whether THIS computer will receive security updates and other important downloads through the Windows automatic updating service."

So, I believe this GPO was created to prevent WSUS from updating the DC's, hence the grayed out portion of the "Never check for updates (Not recommended)" being grayed out.

I'm also for updating the DC's via WSUS in a staggered fashion, but I wanted to see if there was a preferred best method amongst the experts.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40392816
You don't move objects around. Use security filtering instead.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question