WSUS as a guest on DC

I posted this quesiton awhile back, but I can't seem to find my initial post.
So, let me start again.

I understand you can't install WSUS 3.0 on a Domain Controller. I'm
wondering if I could install it under a virtual member serve on the same DC?

"Hodgepodge" <> wrote in message
news:B921135F-1D4C-495F-839C-...
>I posted this quesiton awhile back, but I can't seem to find my initial
>post.
> So, let me start again.
>
> I understand you can't install WSUS 3.0 on a Domain Controller.

This is not a true statement. Not only can you run WSUS 3.0 on a DC, it's
actually a supported scenario.

However, my recommendation would be to *not* run WSUS (or any IIS-based
application) on a Domain Controller.


> I'm wondering if I could install it under a virtual member serve on the
> same DC?

Well, yeah... but then again...

There's something you don't want to do... run Virtual Server on a Domain
Controller!

Might I suggest creating a server, install Virtual Server, create the DC as
a VM on the base server, and then, you can either install WSUS on the base
server, or in another VM.

Domain Controllers are not generally resource intensive machines. For most
organizations Domain Controllers can still be run on Pentium III hardware
with 512MB RAM. There's really no need, or benefit, and lots and lots of
risk, in making a Domain Controller anything more than a single-purpose
machine. If your only machine is the DC... then scrape up a couple hundred
bucks from petty cash and go down to your local refurb shop and buy an old
Compaq Proliant or Dell Poweredge and make that machine your DC. (For that
matter, you can run WSUS on an old Proliant and support a few hundred
users.)



--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Lawrence Garvin [MVP] wrote:

> Might I suggest creating a server, install Virtual Server, create the DC
> as a VM on the base server, and then, you can either install WSUS on the
> base server, or in another VM.

I wouldn't recommend the former (WSUS on the host server with the DC as a VM)
because it means that if IIS/WSUS is compromised, so is the DC (and hence the
entire domain).

Harry.

"Harry Johnston [MVP]" <> wrote in message
news:...
> Lawrence Garvin [MVP] wrote:
>
>> Might I suggest creating a server, install Virtual Server, create the DC
>> as a VM on the base server, and then, you can either install WSUS on the
>> base server, or in another VM.
>
> I wouldn't recommend the former (WSUS on the host server with the DC as a
> VM) because it means that if IIS/WSUS is compromised, so is the DC (and
> hence the entire domain).

Can you expand on your thought, Harry?

From my point of view, just because IIS on a *host* might be
invaded/compromised, does not necesarily imply that any or all of the VMs
residing on that host are compromised. Obviously a human with administrative
credentials has full run --- but there's *no* configuration of hosts or VMs
that can protect against that scenario. But it's really dependent on the
nature of the compromise. An attack vector specific to IIS, or even general
to web servers and/or webservices, and premised on the fact that the DC is
properly addressed and firewalled in a separate VM with appropriate
isolation on the volume containing the VHDs and appropriate ACLs on that
volume, makes it highly unlikely that the DC would be a successful victim of
such an attack, even assuming the DC is a target at all.

My primary point for recommending against this, though, has absolutely
nothng to do with *security* issues, but with the more basic functionality
of IIS/WSUS being "Broken" due to domain controller activities -- like
running 'dcpromo' -- and other issues that are commonly known to contribute
to IIS/WSUS dysfunctionality.. Placing WSUS on a DC effectively means you
can never demote that DC without totally breaking your WSUS functionality;
and having to work around IIS and/or the DC, also puts strains on certain
activities of a diagnostics nature that may need to be performed on such
machines from time to time.

As to the issue of virtual machines -- to the point of *ideal*
configurations.. one would run Hyper-V Server Core as the host, and
everything would run in VMs on the Hyper-V Server Core host. But, then, we
weren't really looking for ideal scenarios here - we're trying to offer the
O.P. a solution that involves a DC and a WSUS server on one box -- an
undesirable scenario in any configuration. ;-)

However.. if I had no choice, and had to deploy both on one box... I'd
deploy WSUS on the DC before I'd ever install Virtual Server on a DC!! While
both require IIS, the latter is just an open invitation to complicating the
DC seven ways to shadyville and back! :-)


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Lawrence Garvin [MVP] wrote:

>> I wouldn't recommend the former (WSUS on the host server with the DC
>> as a VM) because it means that if IIS/WSUS is compromised, so is the
>> DC (and hence the entire domain).
>
> Can you expand on your thought, Harry?
>
> From my point of view, just because IIS on a *host* might be
> invaded/compromised, does not necesarily imply that any or all of the
> VMs residing on that host are compromised. Obviously a human with
> administrative credentials has full run --- but there's *no*
> configuration of hosts or VMs that can protect against that scenario.

I'm considering the case where a compromise gives the attacker system level
access. System access on the host certainly grants system access on the guests
with minimal difficulty, but (at least in theory!) not vice versa.

A remotely exploitable vulnerability on the host that only gives a lower level
of access probably wouldn't represent a threat to the guests, unless it is
combined (perhaps at a later date) with a local vulnerability that allows
escalation to system privilege.

> My primary point for recommending against this, though, has absolutely
> nothng to do with *security* issues, but [...]

I agree with your reasoning here.

> As to the issue of virtual machines -- to the point of *ideal*
> configurations.. one would run Hyper-V Server Core as the host, and
> everything would run in VMs on the Hyper-V Server Core host.

Again, agreed. :-)

> However.. if I had no choice, and had to deploy both on one box... I'd
> deploy WSUS on the DC before I'd ever install Virtual Server on a DC!!
> While both require IIS, the latter is just an open invitation to
> complicating the DC seven ways to shadyville and back! :-)

I've never used Virtual Server - installed it once for testing, but only
briefly. So I'll have to take your word for it, though it seems odd.

If I were that short of servers, I personally wouldn't hesitate to run, for
example, VMWare Server or VirtualBox on a DC, except for security concerns. I
wouldn't worry about them breaking the DC functionality; they're just apps,
after all, at least from the OS point of view. On the other hand perhaps I'm
being naive here.

Harry.

In article <B921135F-1D4C-495F-839C->,
says...

> I understand you can't install WSUS 3.0 on a Domain Controller. I'm

You can install, and it work but is not recommended if wsus content
folder are on same drive with NTDS and in case of any problem diagnostic
and resolving on DC's are much more difficult. Also internal database
and w3 consuming server memory which is needed for other DC operations


However, I have WSUS at my DC's from almost 5 years back with no
problems

> wondering if I could install it under a virtual member serve on the same DC?

I've recommend to use another physical server and install more than one
virtual server onto him for various purposes