WSUS Location
-
@eleceng said in WSUS Location:
Should WSUS be a separate server / VM or added as a role on one of the 2 domain controllers?
What's best practice, experience?
Best practice is that your DC is never anything other than a DC
Realistically this is rarely possible, but I personally would never combine WSUS with a DC. Regardless of where you put it, make sure to automate the maintenance scripts from Microsoft's own care and feeding instructions. -
Like most things, WSUS should be on its own server. My experience with it was awful. It did work, but there were a lot of problems... However, that was back around Windows XP / Server 2003 times.
-
@dafyre I still have a WSUS server today. They still suck to manage. If there are new Microsoft recommendations on clean up etc. I guess I need to dig into those. I am using an old script from SW before the guy decided to try to make money off of it.
-
@notverypunny what about DNS and DHCP? Those roles are normally on DC though right?
-
@eleceng said in WSUS Location:
@notverypunny what about DNS and DHCP? Those roles are normally on DC though right?
I've seen them that way a time or two, but in my current environment, it's AD+DNS on one server, and DHCP on another.
Edit: I like the split . That way if AD goes completely Tits up, your DHCP servers can still operate in some cases.
-
@eleceng said in WSUS Location:
Should WSUS be a separate server / VM or added as a role on one of the 2 domain controllers?
What's best practice, experience?
Best Practice says that nothing goes on a domain controller except domain specific things like DNS and DHCP. Those can be okay.
WSUS should always be its own server, on the rare cases where WSUS makes sense.
-
@dafyre said in WSUS Location:
@eleceng said in WSUS Location:
@notverypunny what about DNS and DHCP? Those roles are normally on DC though right?
I've seen them that way a time or two, but in my current environment, it's AD+DNS on one server, and DHCP on another.
Edit: I like the split . That way if AD goes completely Tits up, your DHCP servers can still operate in some cases.
That's bad risk logic. Splitting because they interact poorly is one thing. Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything. It's far better to lose both at the same time and reduce total outages.
And AD going tits up doesn't bring down DHCP. So everything about the approach is wrong.
-
@eleceng said in WSUS Location:
@notverypunny what about DNS and DHCP? Those roles are normally on DC though right?
Yes, they are intrinsically tied to AD. So it is okay to split them off for capacity reasons, if you have the horsepower to keep them together, you should. Because you have lower risk having all the required, interdependent services tied together for failures to reduce overall risk.
-
@dafyre said in WSUS Location:
Like most things, WSUS should be on its own server. My experience with it was awful. It did work, but there were a lot of problems... However, that was back around Windows XP / Server 2003 times.
Like most things, it should be separate. AND like most things, you should should choose to deploy it with caution. I'd guess that 95% or more of WSUS deployments would do better to have never deployed it at all.
-
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
@eleceng said in WSUS Location:
@notverypunny what about DNS and DHCP? Those roles are normally on DC though right?
I've seen them that way a time or two, but in my current environment, it's AD+DNS on one server, and DHCP on another.
Edit: I like the split . That way if AD goes completely Tits up, your DHCP servers can still operate in some cases.
That's bad risk logic. Splitting because they interact poorly is one thing.
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
NB: My current DHCP setup is configured as an HA pair, so if one goes down, we are not down at all
It's far better to lose both at the same time and reduce total outages.
Umm... Not sure I agree with you here. I'd rather not be completely dead in the water because of <insert reason for outage here>
And AD going tits up doesn't bring down DHCP. So everything about the approach is wrong.
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
NB: My current DHCP servers are not tied in to ADSo everything about the approach is wrong.
Based on personal experiences and the issues I've seen, we'll have to agree to disagree here.
-
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Like most things, WSUS should be on its own server. My experience with it was awful. It did work, but there were a lot of problems... However, that was back around Windows XP / Server 2003 times.
Like most things, it should be separate. AND like most things, you should should choose to deploy it with caution. I'd guess that 95% or more of WSUS deployments would do better to have never deployed it at all.
It lasted about a year at my last job. We got tired of fighting with it, lol.
-
@dafyre said in WSUS Location:
It's far better to lose both at the same time and reduce total outages.
Umm... Not sure I agree with you here. I'd rather not be completely dead in the water because of <insert reason for outage here>
DHCP doesn't fix the problem that you are imagining. You are looking at it wrong. If you need DHCP to function, then your risk of DHCP failing remains the same. The risk that AD goes down at a time that it impacts you but you are not completely dead is ADDITIONAL. Your reaction is an emotional one caused by looking at the risk solely from the AD direction and ignoring the DHCP risk on its own.
-
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
NB: My current AD servers are not tied in to ADSo everything about the approach is wrong.
Based on personal experiences and the issues I've seen, we'll have to agree to disagree here.
It's just math. Risk math makes it so. There's nothing to agree or disagree on. There's no opinion involved. It's just "how does the risk math work."
-
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
-
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
If AD itself goes tits up, but the box stays running - DHCP will stay running
NB: My current AD servers are not tied in to AD
What? how are AD servers not tied to AD - unless you're talking about the physical hosts (i.e. the Hypervisor level)
-
@dashrender said in WSUS Location:
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
If AD itself goes tits up, but the box stays running - DHCP will stay running
NB: My current AD servers are not tied in to AD
What? how are AD servers not tied to AD - unless you're talking about the physical hosts (i.e. the Hypervisor level)
Argh... The typos. I'll fix it It should be :
NB: My current DHCP servers are not tied in to AD
-
@dafyre said in WSUS Location:
@dashrender said in WSUS Location:
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
If AD itself goes tits up, but the box stays running - DHCP will stay running
NB: My current AD servers are not tied in to AD
What? how are AD servers not tied to AD - unless you're talking about the physical hosts (i.e. the Hypervisor level)
Argh... The typos. I'll fix it It should be :
NB: My current DHCP servers are not tied in to AD
And what do you gain from that?
-
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.
-
@dashrender said in WSUS Location:
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.
In this scenario, 2 x AD+DNS Servers, and 2 x DHCP Servers (Windows, Configured for HA)
-
@scottalanmiller SAM there are 2 DC's now (VM's) and i have to add DNS and DHCP as separate VM's or put them together.
It's a very small network but needs high availability.
Should DNS and DHCP have a primary and secondary VM?
