In my opinion, you are not being over-cautious. You certainly (ABSOLUTELY) do not want all your DCs patching at the same time, much less rebooting at the same time.
From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Wednesday, July 12, 2017 11:23 AM To: [email protected]; Patch Management Mailing List Subject: Re: [NTSysADM] Advice on patching Domain Controllers via WSUS On Wed, Jul 12, 2017 at 11:05 AM, Kennedy, Jim <[email protected]<mailto:[email protected]>> wrote: Separate group in WSUS, download but don’t install. I manually install them during downtime I schedule shortly after patch Tuesday. That is how I hand member servers and DC’s. But, I only have 40 or so servers to do. Yeah, we have close to 4x that. When it was only 40-50, manually installing patches is manageable. With our number, we have 3 staff come in and have to do 50+ servers once a month. That's like 12 hours or so overtime (total for all 3) every month. So auto-installing patches would also be a cost saving maneuver for us, as well. I have groups in WSUS, and approve current month patches for just our testing servers, and everything up until this month for all other servers. So I would just add the DCs to that second group. And then use a GPO to either download or install, and tie it to a specific AD group. I'm just a bit leery about having DCs auto-patch. I don't know if I am being over-cautious, is all ... From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael Leone Sent: Wednesday, July 12, 2017 10:56 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Advice on patching Domain Controllers via WSUS Our policy has been that our DCs are not patched via WSUS, like other member servers, but instead that we manually install the current patches from Microsoft Update. But now, I would like to change this, and use WSUS to patch all the DCS to our production levels (meaning: one month behind on released patches). I don't see any downsides to this. I would create a new GPO (rather than modify the Default Domain Controllers Policy). I think I might still set them to download only, not automatically install. Thoughts? Should I let them auto-install, like most of my other member servers? Is that what you others do? Do you let your DCs get their patches via WSUS? (the more servers I don't have to manually install patches on, the happier I am. We have some servers that we must do manually, for reasons I won't go into)
