Active Directory — Monthly Windows Updates (Two-DC Setup)

Scope: Two domain controllers (DC01, DC02) replicating to each other. Routine monthly Windows Updates / security patches.

Window estimate: 2-3 hours total for both DCs.

Core principle

One DC at a time. The other stays up and serves authentication, DNS, GPO, etc. Users should see no impact.

Before the window

1. Verify baseline health

# Both DCs replicating cleanly
repadmin /replsummary

# Comprehensive DC health check
dcdiag /e /q
# (empty output = all good; anything printed = investigate)

# Services healthy on both
Invoke-Command -ComputerName DC01,DC02 -ScriptBlock {
    Get-Service NTDS, Netlogon, DNS, KDC, DFSR, W32Time |
        Where-Object Status -ne Running
}
# ^ expect empty

Any error here = stop. Fix replication before patching.

2. Note which DC holds FSMO roles

netdom query fsmo

Save the output. Patch the DC without FSMO roles first (usually the "secondary"). If all roles are on one DC, patch the other one first.

3. Pre-flight checklist

Change ticket raised if your org requires one
Backup from last 24h (System State)
20+ GB free on C: drive of each DC
On-call identified

The window

PASS 1 — Patch the secondary DC (the one without FSMO roles)

Assuming DC02 is secondary:

1. Install updates

# If you have PSWindowsUpdate module:
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

# Or trigger via built-in tool:
UsoClient ScanInstallWait
# Then reboot manually:
Restart-Computer -Force

Or via GUI: Settings → Windows Update → Install now → reboot when prompted.

2. Wait for DC02 to come back

Reboot + service startup: 5-15 min for a standard CU. Longer for big updates. Watch via OOB console if you're worried.

3. Verify DC02 health

# Services running?
Invoke-Command -ComputerName DC02 {
    Get-Service NTDS, Netlogon, DNS, KDC | Where-Object Status -ne Running
}
# ^ expect empty

# DC advertising itself?
dcdiag /s:DC02 /test:advertising

# Replicating with DC01?
repadmin /showrepl DC02

# Full health check
dcdiag /s:DC02 /q

Don't proceed to DC01 until DC02 is clean.

PASS 2 — Patch the primary DC (holds FSMO roles)

1. (Optional) Transfer FSMO roles to DC02

Only if you expect patching to take more than 30 min. For a typical monthly CU, skip this step — brief FSMO unavailability during reboot is harmless.

Move-ADDirectoryServerOperationMasterRole -Identity DC02 `
    -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator,
                         RIDMaster, InfrastructureMaster -Confirm:$false

netdom query fsmo
# Verify all five now on DC02

2. Install updates on DC01

Same method as DC02.

3. Wait for DC01 to return

4. Verify DC01 health

Invoke-Command -ComputerName DC01 {
    Get-Service NTDS, Netlogon, DNS, KDC | Where-Object Status -ne Running
}

dcdiag /s:DC01 /q
repadmin /showrepl DC01

5. (Optional) Transfer FSMO roles back to DC01

Only if you moved them in step 1:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 `
    -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator,
                         RIDMaster, InfrastructureMaster -Confirm:$false

Many admins just leave roles wherever they landed until next maintenance — AD doesn't care which DC holds them as long as one does.

Post-window verification

# Both DCs healthy
repadmin /replsummary
dcdiag /e /q

# Force a replication cycle to be sure
repadmin /syncall /AdeP

# FSMO roles as expected
netdom query fsmo

# Quick user-facing test
nslookup -type=srv _ldap._tcp.dc._msdcs.your.domain
# Should return both DCs

# Log into a workstation, reset a password, verify it works

Quick reference — full procedure in one block

# ========== PRE-CHECK ==========
repadmin /replsummary
dcdiag /e /q
netdom query fsmo

# ========== PATCH DC02 (secondary) ==========
# On DC02:
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot
# Wait for reboot and service startup (5-15 min)

# Verify DC02:
dcdiag /s:DC02 /q
repadmin /showrepl DC02

# ========== PATCH DC01 (primary) ==========
# On DC01:
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot
# Wait for reboot and service startup

# Verify DC01:
dcdiag /s:DC01 /q
repadmin /showrepl DC01

# ========== POST-CHECK ==========
repadmin /replsummary
repadmin /syncall /AdeP
dcdiag /e /q

Common issues

Symptom	Cause / fix
DC stuck on "Getting Windows ready" after reboot	Normal for big CUs — wait 20-30 min
`repadmin` shows replication errors after patching	Wait 15 min then re-check; if persists, `repadmin /syncall /AdeP`
NTDS service won't start	Check Directory Service event log, usually points at the cause
DNS service failed to start	DNS depends on Netlogon; if Netlogon started late, restart DNS
Users report slow logons post-patch	Time drift — check `w32tm /query /status` on PDC

Things NOT to do

Don't patch both DCs simultaneously. Ever. Even for a "quick" Defender definition update via GPO.
Don't hard-reboot a DC unless graceful shutdown hung for 15+ min.
Don't snapshot a running DC VM as backup — leads to USN rollback if reverted. Use System State backups or shut the VM down before snapshotting.
Don't skip the health check between DCs. Patching DC01 when DC02 came back broken is how you end up with no working DCs.