0

We have been using an AD on 2003 server, and recently installed 2008 DC.

As part of the transition, I need to stop our 2003 server that was running our WSUS application (it wasn't the DC).

Currently I have a 2008 R2 DC (pretty standard DHCP/DNS/AD) and another 2008 server that runs management and utilites applications.

I need to install WSUS and my question is: Where/what would be the best option?

  • Should I add WSUS role to my DC 2008?
  • Or should I run WSUS on the alternate NON DC 2008?
Saariko
  • 1,791
  • 13
  • 45
  • 73

1 Answers1

4

Non DC.

Only a DC should be used as a domain controller, nothing else should be installed on it. It reduces attack surfaces for programs that might be vunerable, reduces the risk of a bugged update for the program taking down your DC and WSUS can take up a lot of space depending on what updates you have selected. Best practices or not, I would never install any extra roles onto a DC. ADDS, DNS and DHCP, that's it.

tombull89
  • 2,958
  • 8
  • 39
  • 52
  • Remember that since WSUS does take up a lot of space, you want to size the storage for this server appropriately. If you are running virtual machines, WSUS is sometimes better left on a physical box (it certainly doesn't have to be physical, however). – Jeremy May 17 '12 at 21:33