Is WSUS supported on Domain Controllers?
Oh yes – WSUS if fully supported on Domain Controllers. There are no issues with installing and running WSUS on a DC’s. However, you need to take a note of few things;
There are 2 known issues as documented on ReadMe for Windows Server Update Services;
Issue 10: If you install WSUS on a member server and then want to promote the member server to a domain controller, you should first uninstall WSUS
If you install WSUS on a member server and then want to promote the member server to a domain controller, you will need to take the following steps:
Promote the server to a domain controller.
Issue 11: If you want to demote a WSUS Server from a domain controller to a member server you should first uninstall WSUS
If you’re running WSUS Server on a domain controller and want to demote the domain controller to a member server, you will need to complete the following steps:
Uninstall WSUS and retain the database.
Create a user account called ASPNET.
At the command prompt, type aspnet_regiis -i.
Reinstall WSUS and use the retained database.
Last week I was having an issue with running WSUS on a new DC (turns out someone had screwed up IIS, but I didn’t know that at the time), so first thing I did was uninstall/reinstall WSUS. Soon afterward I got calls from local WSUS admins saying they were unable to authenticate to the WSUSAdmin console. I checked AD and there was an empty WSUS Administrators group in the default Users OU, and the ACLs on the folders on the WSUS servers once again had “account unknown” listed instead of WSUS Administrators. It looks like uninstalling WSUS on one domain controller removes the security group from the domain, rendering all non “domain admins” unable to use the WSUSAdmin console on any other domain controller.