WSUS as a standalone server or inclusive with DC?

coliver

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

how are you loosing the advantages of VMing? and how is the infrastructure less resilient? Is putting WSUS somehow reducing the one DC I have to less resilience? or any of my other already SPOF VMs?

You run into the issue if one service crashes you are going to need to bring down your DC or file server to get it working again. That may not be a big deal but it makes those systems less resilient as they now rely on a second service to be as reliable as they are. I'm not saying WSUS is fragile just that have more then one service on those systems increases how fragile they are overall. The $800 saving may be worth the risk that's something each company would have to figure out.

Dashrender

aww OK good point. I think less critical in this situation. If WSUS breaks, you can often afford to wait until scheduled maintenance to take it down (if you really need to reboot that is), but the point is certainly valid!

Thanks

LAH3385

If only Microsoft allows 3 VMs per Hypervisor (standard license) this would save $800 and I can do just as Coliver said. For now DHCP and DNS has to stay with DC.

Thanks for all the input.

coliver

@LAH3385 said in WSUS as a standalone server or inclusive with DC?:

If only Microsoft allows 3 VMs per Hypervisor (standard license) this would save $800 and I can do just as Coliver said. For now DHCP and DNS has to stay with DC.

Thanks for all the input.

That's not a big deal. DNS and DHCP are ridiculously stable. I was thinking something like WSUS or a file server.

LAH3385

@coliver I have 2 hypervisors and 3 VMs running at the moment. DC + DNS + DHCP, File server, server for dev team (dunno what they do on there..and dont want to know). Last VM will be for WSUS.

ntoxicator

I need to spin up our WSUS server (VM) again and re-point the GPO policies..

I had issue with the workstations not taking the GPO setting, was not picking our internal WSUS server. Tried via IP address and hostname within the GPO policy setting (For both boxes). http://IP http://hostname

even tried without http:// for the setting.....

But this was probably due to going back to original issue of non unique machine GUID/SID's.

But anyways, definitely have WSUS as a separate VM instance

Dashrender

WSUS's biggest issue is that it requires huge amount of disk space.

Of the mentioned service, Printing is the one that should be separated from a DC if at all possible.

I have so rarely had issue with DNS/DHCP/File/WSUS, while when possible splitting is good, but I woudn't be bothered having any of those on a DC.

scottalanmiller

Rule of thumb is to run all workloads on discrete VMs. Do you have to always do that? Of course not, but moving in that direction is generally helpful. I would definitely try to have WSUS on its own and not on a DC if possible.

JaredBusch

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

WSUS's biggest issue is that it requires huge amount of disk space.

Of the mentioned service, Printing is the one that should be separated from a DC if at all possible.

I have so rarely had issue with DNS/DHCP/File/WSUS, while when possible splitting is good, but I woudn't be bothered having any of those on a DC.

WSUS does not have to require disk space. You can have all the control of WSUS and still tell the machines to get the updates fro MS. That is how I run it. With the new Windows 10 settings, I also have the clients allowed to get updates form other computer on the local network.

Dashrender

@JaredBusch said in WSUS as a standalone server or inclusive with DC?:

@Dashrender said in WSUS as a standalone server or inclusive with DC?:

WSUS's biggest issue is that it requires huge amount of disk space.

Of the mentioned service, Printing is the one that should be separated from a DC if at all possible.

I have so rarely had issue with DNS/DHCP/File/WSUS, while when possible splitting is good, but I woudn't be bothered having any of those on a DC.

WSUS does not have to require disk space. You can have all the control of WSUS and still tell the machines to get the updates fro MS. That is how I run it. With the new Windows 10 settings, I also have the clients allowed to get updates form other computer on the local network.

Now with a 100/20 pipe I wouldn't mind if the machines all get from either each other or direct from MS, but back on the 10/10 days, WSUS removed that load from the internet.