WSUS as a standalone server or inclusive with DC?

LAH3385

After reading Microsoft update KB3159398 thread I wonder if WSUS should be a run on its own server or included in other server/DC?

Right now we have WSUS running on a physical server, and we want to virtualized as well as upgrade all our servers from 2007/2008R2 to 2012R2. I have already virtualized DC (DNS,DHCP, ADDC) and wonder if I should include WSUS with it or create a separate VM for it.

Our current WSUS is running on Windows Server Enterprise (2007 SP2). Once we install new WSUS and configure GPO to point to this new WSUS...is that all?

Any thoughts or tips are greatly appreciated

coliver

Standalone virtual machine. The DC should be only the DC, although in the past I did put DHCP and DNS on it.

Dashrender

@LAH3385 said in WSUS as a standalone server or inclusive with DC?:

Our current WSUS is running on Windows Server Enterprise (2007 SP2). Once we install new WSUS and configure GPO to point to this new WSUS...is that all?

There's no such thing.

Dashrender

@coliver said in WSUS as a standalone server or inclusive with DC?:

Standalone virtual machine. The DC should be only the DC, although in the past I did put DHCP and DNS on it.

I like this idea, but licensing costs sometimes makes this impractical. Yep good ol' Windows Server Tax.

coliver

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

@coliver said in WSUS as a standalone server or inclusive with DC?:

Standalone virtual machine. The DC should be only the DC, although in the past I did put DHCP and DNS on it.

I like this idea, but licensing costs sometimes makes this impractical. Yep good ol' Windows Server Tax.

So don't use Windows for DHCP and DNS? That would solve that issue.

Dashrender

@coliver said in WSUS as a standalone server or inclusive with DC?:

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

@coliver said in WSUS as a standalone server or inclusive with DC?:

Standalone virtual machine. The DC should be only the DC, although in the past I did put DHCP and DNS on it.

I like this idea, but licensing costs sometimes makes this impractical. Yep good ol' Windows Server Tax.

So don't use Windows for DHCP and DNS? That would solve that issue.

Is that really an option? at least one wants to explore in an all Windows shop?

My shop of 88 users, 110 PCs I have DHCP and DNS on my DC. WSUS is on it's own VM, and File and print on a third. This requires two Windows Server licenses and leaves me with a fourth VM I could use for something else. But if I had needed/wanted to save the 800+ on the second Windows server I could have put WSUS on either the AD server or the File/print server.

coliver

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

@coliver said in WSUS as a standalone server or inclusive with DC?:

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

@coliver said in WSUS as a standalone server or inclusive with DC?:

Standalone virtual machine. The DC should be only the DC, although in the past I did put DHCP and DNS on it.

I like this idea, but licensing costs sometimes makes this impractical. Yep good ol' Windows Server Tax.

So don't use Windows for DHCP and DNS? That would solve that issue.

Is that really an option? at least one wants to explore in an all Windows shop?

My shop of 88 users, 110 PCs I have DHCP and DNS on my DC. WSUS is on it's own VM, and File and print on a third. This requires two Windows Server licenses and leaves me with a fourth VM I could use for something else. But if I had needed/wanted to save the 800+ on the second Windows server I could have put WSUS on either the AD server or the File/print server.

Sure you could, but you are losing some of the advantages of virtualization while making your infrastructure less resilient. You said it earlier though. If you're a Windows shop you've already dedicated yourself to paying the Windows tax.

Dashrender

how are you loosing the advantages of VMing? and how is the infrastructure less resilient? Is putting WSUS somehow reducing the one DC I have to less resilience? or any of my other already SPOF VMs?

coliver

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

how are you loosing the advantages of VMing? and how is the infrastructure less resilient? Is putting WSUS somehow reducing the one DC I have to less resilience? or any of my other already SPOF VMs?

You run into the issue if one service crashes you are going to need to bring down your DC or file server to get it working again. That may not be a big deal but it makes those systems less resilient as they now rely on a second service to be as reliable as they are. I'm not saying WSUS is fragile just that have more then one service on those systems increases how fragile they are overall. The $800 saving may be worth the risk that's something each company would have to figure out.

Dashrender

aww OK good point. I think less critical in this situation. If WSUS breaks, you can often afford to wait until scheduled maintenance to take it down (if you really need to reboot that is), but the point is certainly valid!

Thanks

LAH3385

If only Microsoft allows 3 VMs per Hypervisor (standard license) this would save $800 and I can do just as Coliver said. For now DHCP and DNS has to stay with DC.

Thanks for all the input.

coliver

@LAH3385 said in WSUS as a standalone server or inclusive with DC?:

If only Microsoft allows 3 VMs per Hypervisor (standard license) this would save $800 and I can do just as Coliver said. For now DHCP and DNS has to stay with DC.

Thanks for all the input.

That's not a big deal. DNS and DHCP are ridiculously stable. I was thinking something like WSUS or a file server.

LAH3385

@coliver I have 2 hypervisors and 3 VMs running at the moment. DC + DNS + DHCP, File server, server for dev team (dunno what they do on there..and dont want to know). Last VM will be for WSUS.

ntoxicator

I need to spin up our WSUS server (VM) again and re-point the GPO policies..

I had issue with the workstations not taking the GPO setting, was not picking our internal WSUS server. Tried via IP address and hostname within the GPO policy setting (For both boxes). http://IP http://hostname

even tried without http:// for the setting.....

But this was probably due to going back to original issue of non unique machine GUID/SID's.

But anyways, definitely have WSUS as a separate VM instance

Dashrender

WSUS's biggest issue is that it requires huge amount of disk space.

Of the mentioned service, Printing is the one that should be separated from a DC if at all possible.

I have so rarely had issue with DNS/DHCP/File/WSUS, while when possible splitting is good, but I woudn't be bothered having any of those on a DC.

scottalanmiller

Rule of thumb is to run all workloads on discrete VMs. Do you have to always do that? Of course not, but moving in that direction is generally helpful. I would definitely try to have WSUS on its own and not on a DC if possible.

JaredBusch

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

WSUS's biggest issue is that it requires huge amount of disk space.

Of the mentioned service, Printing is the one that should be separated from a DC if at all possible.

I have so rarely had issue with DNS/DHCP/File/WSUS, while when possible splitting is good, but I woudn't be bothered having any of those on a DC.

WSUS does not have to require disk space. You can have all the control of WSUS and still tell the machines to get the updates fro MS. That is how I run it. With the new Windows 10 settings, I also have the clients allowed to get updates form other computer on the local network.

Dashrender

@JaredBusch said in WSUS as a standalone server or inclusive with DC?:

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

WSUS's biggest issue is that it requires huge amount of disk space.

Of the mentioned service, Printing is the one that should be separated from a DC if at all possible.

I have so rarely had issue with DNS/DHCP/File/WSUS, while when possible splitting is good, but I woudn't be bothered having any of those on a DC.

WSUS does not have to require disk space. You can have all the control of WSUS and still tell the machines to get the updates fro MS. That is how I run it. With the new Windows 10 settings, I also have the clients allowed to get updates form other computer on the local network.

Now with a 100/20 pipe I wouldn't mind if the machines all get from either each other or direct from MS, but back on the 10/10 days, WSUS removed that load from the internet.