WSUS, DC and CA on same physical machine? RRS feed

  • Question

  • Hi!

    Have been playing around with WSUS as we are about to deploy that here and I had time over so I thought that I should learn a bit on how it works, how it's setup and all that.

    I have three physical machines to play with, all running WS2012R2. One is master, one runs a hyper-v and the last one I deployed as a DC, ADCS (Enterprise CA) and WSUS:

    Februaryserver: Master DC
    Marchserver: Hyper-V
    Aprilserver: DC, ADCS and WSUS

    At my last attempt I almost succeeded, but ended up with an error on the server that tried to use the WSUS Server and that was that a certificate chain was processed, but terminated in a root certificate which is not trusted by the trust provider (can post logfile if needed).

    I have now installed and uninstalled everything 3 times I think because I cant get this working and I started wondering about that maybe, just maybe, it's a bad idea to promote a single server to be a DC, ADCS and WSUS...?

    My questions are these: is there any complete guide to how to setup WSUS using SSL  - OR is there a guide to setup WSUS and NOT using SSL? Can't seem to find any appropriate information.

    This is my first attempt at trying to understand the CS role, creating certificates and what a CA/CN/CS etc is. Its also my first attempt at trying to setup a WSUS, but I actually might give up and let some third party do this for us instead, time is running out :(

    I have read and followed the following guides:


    At my first attempt I didnt pay attention to the guide which covers setting up the ADCS and the result was that the CN was incorrectly named. The second time I thought I got it right but apparently I hadn't. At my third attempt I was just playing around and trying to setup the whole WSUS without using SSL as ALL our clients are located at the same physical location as our servers.

    So... that's about it. Story of my week so far :)

    Would really appreciate any help/guidance/support/tips/whatever that might help me out here.

    Thanks in advance and have nice holiday everyone!

    Wednesday, April 30, 2014 10:35 AM

All replies

  • If you read this article, it clearly says WSUS should not be installed on DC.

    If required, DC cannot be renamed or demoted once you installed CA on DC.

    Check this documentation for configuring SSL on WSUS.


    Wednesday, April 30, 2014 10:59 AM
  • Ok, thanks for clearing that out. So, WSUS should not be installed on a DC. I suppose I should move both the DC and ADCS to one of the other servers and test again.

    The problem with the certificate will most likely remain though. If I setup ADCS on, for example, my machine called februaryserver, the CN till be februaryserver and FQDN will be februaryserver.xxx.xxx.xx, right? Other than installing the certificate as a trusted root certificate provider, is there anything else I need to do to get this to become a trusted certificate?


    Wednesday, April 30, 2014 7:37 PM