ActiveDirectoryServer and WSUSServer in one Server

Solution 1:

Don't. Applications other than AD DS + DNS + file server increases the attack surface. Also, an update management database is managed quite a bit differently from AD DS, in terms of deployment, maintenance, and capacity planning.

You would want a very good reason to override host level isolation here, and you have not provided one.

Compliance checklists say the security reason, if you want to cite something. STIG, for example: Windows Server domain controllers must run on a machine dedicated to that function

Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer.

Solution 2:

Technically, yes, you can do that.

But you really should not.

A Domain Controller should do that and only that (and DNS of course).

Additional technical detail: WSUS needs IIS, which means running a web server on the machine; definitely something to avoid on a DC.

BTW, if you only have one DC, please create another one. Running a single DC is the biggest single point of failure you can create on Windows.

If you are resource constrained, install Hyper-V on the system and create virtual machines for each service. It's still not failsafe (if the server breaks down you are screwed), but at least it's a lot cleaner. And if something goes wrong you can simply reinstall Windows (or use a different physical server) and restart the VMs. Make sure to take backups.