Need some insights before I attempt this as it is a little nerve racking. We have two physical domain controllers (I built one of them) in an AD environment (total servers - physical and virtual - about 27) and have the FSMO roles distributed across them. The two DC's are backed up successfully and right now everything (DCDIAG) is running smoothly between them. The 2nd DC also hasn't been patched for a while, mainly to not let it get ahead too far in terms of updates and other out-of-scope reasons. Suffice to say these two DC's need to be patched as best practice. DC1 is 2008 R2 ENT, DC2 is 2008 R2 STD with SP1. I noticed that the updates (MS Baseline Security Analyzer Report) does not show SP1 for DC1 yet so I suspect that it needs more updates than are reported and that these will show up after the missing one's are installed including SP1. Most of the missing updates are security related, as well as updates for Server 2008 x64 edition. However, I am also seeing some .net 3.5.1 security updates and rules update for AD best practice analyzer, kernel and user mode framework 1.11 drivers, ie9 (eventually ie10/11) malicious removal tool, etc. I was going to backup the server (including system state) and then patch it (security first - reboot, server updates - reboot, other items). After doing so (and assuming I don't blow it up) I was going to run DCDIAG etc. to make sure that the two DC's and AD still talk. I was then going to do the same with DC2 the next day so as to avoid the two being out of sync too long, followed by another round of verification and system health checks. Greatly appreciate any/all insights at this point on how to handle this without losing a DC, messing up AD and having a stroke. LOL! I can list the KB's if needed. MANY, many thanks in advance to all you server guru's out there.